[THIN] Re: HOW TO: Acessing a Terminal Server when the client is behind a proxy
- From: "Trey Mears" <TreyM@xxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Mon, 28 Jun 2004 21:52:47 -0700
There is always something you can do...
It is true that this will work in most situations where there are no
restrictions on CONNECT.
This is from the desproxy manual:
"desproxy should work with every HTTP proxy, with the following exceptions:
* HTTP/1.1 Proxies without the CONNECT method. Maybe your network administrator
deactivated CONNECT support in the proxy, or maybe CONNECT is restricted to the
HTTPS port (443)."
Many of today's modern proxy solutions can be configured to deactivate CONNECT
support in the proxy as mentioned here.
Many of these solutions can also operate transparently by default so that the
end user has no ability to reconfigure the local proxy.
For example Squid's default configuration will not allow desproxy to do
anything useful.
This is because Squid restricts CONNECT support to port 443 only.
I do agree thet there will be many situations in which the scenario described
in the article Cláudio posted will work.
So I would just like to take the time to encourage admins to do thier best to
research, implement and design solutions that will prevent any unauthorized use
of company resources.
Trey Mears
Sr. IT Consultant
SCM Consultants, Inc.
A Tetra Tech Company
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx on behalf of Claudio Rodrigues
Sent: Thu 6/17/2004 11:30 AM
To: thin@xxxxxxxxxxxxx
Cc:
Subject: [THIN] Re: HOW TO: Acessing a Terminal Server when the client
is behind a proxy
The thing is even if you restrict IE, if they have the remote desktop
client on their machines or if they have access to IE they can hit the Java
Client page. So unless you know which sites on the internet have an RDP Java
client available there is nothing you can do (as you will not disable Java
otherwise everything else that needs it will not work).
Then as I said, Desproxy can be used in an USB Memory Drive, without
anything installed on the user PC (bypassing computer software
policies/restrictions). If you do not prevent execution for this executable
using something like Appsense (not on the TS but now on all desktops!) again,
there is nothing you can do to prevent them going out through the proxy. And
other apps that I did not mention even support proxy authentication (ISA
included for example).
Then you have the firewall logs. Unless you know exactly where the user
will be connecting there is nothing you can do.
Rephrasing, you can do a lot. But this will simply drive any
administrator nuts as he would need to find where they are connecting, deploy
Appsense or something like that on all desktops, prevent access to all known
Java RDP based clients (AND update this probably weekly) etc. This is pretty
much an impossible mission.
Also connections to "normal" IPs, not on the proxy list of bad, well
known sites, and on port 443 normally will not look suspicious at all.
I tested this method on a handful of networks in US/Canadian government
sites and in all cases I was able to access the remote TS and from there browse
anywhere I wanted and even copy files from the TS to the local PC.
So I would say this will work in MOST situations and not in SOME
situations.
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Trey Mears
Sent: June 17, 2004 2:03 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: HOW TO: Acessing a Terminal Server when the client
is behind a proxy
It is worth noting that the tips that Cláudio posted will work in only
some situations.
There are many ways to combat the kind of "work around" access referred
to.
And any admin worth his salt would do so to prevent unauthorized access
to prohibited resources.
It is worth noting that a proxy server is a server that acts as an
intermediary between a computer and the Internet.
This ensures security, administrative control, and caching.
A proxy server and a firewall work together to prevent a direct
connection between a client and a remote server.
Ways to prevent users from unauthorized use of prohibited resources
(Including the methods posted by Cláudio)
1. Use a transparent proxy
2. Use group policy to restrict changes to any IE settings
(This can be set at the computer or user policy )
3. Audit firewall logs
4 Enforce computer use policies
This is just a short example of some of the possible methods...
Trey Mears
Sr. IT Consultant
SCM Consultants, Inc.
A Tetra Tech Company
Kennewick, WA
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Claudio Rodrigues
Sent: Thursday, June 17, 2004 9:02 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: HOW TO: Acessing a Terminal Server when the client
is behind a proxy
Here we go now with lots of firewall admins mad at me. :-) I always
question myself. If anyone can do this, is it worth to have a proxy server?
Hehehehe.
This works for ICA also in case you do not have CSG.
And I forgot to mention if you setup your own proxy server at home
listening on port 443 you can point your company pc web browser to your own
proxy server at home and therefore bypass all their restrictions completely.
Another great alternative is OpenVPN in case you want to establish a
VPN connection to your remote network (home for example) over a proxy server.
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Kenzig http://thin.net
Sent: June 17, 2004 9:23 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] HOW TO: Acessing a Terminal Server when the client is
behind a proxy
This is a good post from Claudio I came across that was posted last
week on the MS Newsgroup archived at
http://groups.google.com/groups?dq=&start=75&hl=en&lr=&ie=UTF-8&group=micros
oft.public.windows.terminal_services&selm=%23c%23JFXvTEHA.2408%40tk2msftngp1
3.phx.gbl
I thought that this would be good to pass along. Good stuff Claudio.
Jim
Hey guys,
Just a quick How-to for you on how to access a Terminal Server in a
remote location when you are behind a proxy server that allows only ports 80 and
443 to the outside.
Note this may violate your company policy for internet usage. You can
use this approach to pretty much bypass the internal proxy and even surf the
internet to any website you want, restricted or not by your company. Again, use
this at your own risk as you may be violating internal policies.
Scenario:
Your computer is behind a firewall and proxy server. Internet Explorer
is set to use a proxy server on port 8080 (can be any other port). No other
ports are allowed outbound what means you cannot connect to any TS in the
outside world on port 3389.
Tools you will need:
Desproxy: http://desproxy.sourceforge.net/ (no installation is needed.
Simply copy the executables to let's say an USB drive so you do not
leave any trace on the PC you will use. :-)).
Java RDP Client: this is needed if you cannot use 2 PCs at work. The
idea is to get your PC listening on a certain port (let's say 3390) and to use
another PC to connect to it on 3390. Your PC will them forward all traffic to
the remote TS through your proxy. Of course you can use one PC only. The issue
is the Microsoft RDP Client is NOT smart enough and when you try to connect to
the local PC (127.0.0.1) on port 3390 it complains saying you cannot connect to
your own PC... I guess they did not account for this scenario. Anyhow, the link
for a web based Java RDP client is
http://www.hob.de/webapps/JTerm33/www/normaltest_J1.html.
Just setup a connection to your local PC (127.0.0.1) on port 3390 (in
this example).
If you have a second PC simply launch the Microsoft RDP client and
connect to Your_First_PC_IP_address:3390.
The terminal server on the remote network (the one you want to access)
must be listening on port TCP 443 (and not 3389). If you want to leave the TS
on port 3389 or if you need to access a cluster of Terminal Servers, use
WTSGateway or WTSGateway Pro from http://www.terminal-services.net and
configure these products to listen on port 443 (your TSs can remain on 3389 in
this case).
Now simply create a batch file that will launch Desproxy:
DESPROXY YOUR_TS_IP_Address Port_TS_IS_USING PROXY_SERVER_IP
PROXY_SERVER_PORT Local_PC_Port Something like:
Desproxy 64.60.123.124 443 proxywww 8080 3390 This will make your PC
listen on port 3390. All connections on this port will be redirected to the IP
64.60.123.124 through your company proxy named proxywww (you can use the IP
instead) that uses port 8080 for incoming connections.
Note I do not support/endorse such procedures and I clearly state you
are using it at your own risk and you may be violating your company policies.
But if you do need to connect to machines using the RDP protocol and
you are limited by a proxy server, this is the way to go.
--
Cláudio Rodrigues
Microsoft MVP
Windows Technologies - Terminal Services
http://www.terminal-services.net
********************************************************
This weeks sponsor Vizioncore, Inc.
--> vc-iMonitor - Performance Monitoring, Control & Reporting
--> vc-iControl - Desktop & Start Menu Management & Reporting vc-iMapper
--> - Drive, Printer & COM Management & Reporting
http://vizioncore.com/products.html
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor Vizioncore, Inc.
--> vc-iMonitor - Performance Monitoring, Control & Reporting
--> vc-iControl - Desktop & Start Menu Management & Reporting vc-iMapper
--> - Drive, Printer & COM Management & Reporting
http://vizioncore.com/products.html
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor Vizioncore, Inc.
--> vc-iMonitor - Performance Monitoring, Control & Reporting
--> vc-iControl - Desktop & Start Menu Management & Reporting
--> vc-iMapper - Drive, Printer & COM Management & Reporting
http://vizioncore.com/products.html
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor Vizioncore, Inc.
--> vc-iMonitor - Performance Monitoring, Control & Reporting
--> vc-iControl - Desktop & Start Menu Management & Reporting
--> vc-iMapper - Drive, Printer & COM Management & Reporting
http://vizioncore.com/products.html
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
