There is always something you can do... It is true that this will work in most situations where there are no restrictions on CONNECT. This is from the desproxy manual: "desproxy should work with every HTTP proxy, with the following exceptions: * HTTP/1.1 Proxies without the CONNECT method. Maybe your network administrator deactivated CONNECT support in the proxy, or maybe CONNECT is restricted to the HTTPS port (443)." Many of today's modern proxy solutions can be configured to deactivate CONNECT support in the proxy as mentioned here. Many of these solutions can also operate transparently by default so that the end user has no ability to reconfigure the local proxy. For example Squid's default configuration will not allow desproxy to do anything useful. This is because Squid restricts CONNECT support to port 443 only. I do agree thet there will be many situations in which the scenario described in the article Cláudio posted will work. So I would just like to take the time to encourage admins to do thier best to research, implement and design solutions that will prevent any unauthorized use of company resources. Trey Mears Sr. IT Consultant SCM Consultants, Inc. A Tetra Tech Company -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx on behalf of Claudio Rodrigues Sent: Thu 6/17/2004 11:30 AM To: thin@xxxxxxxxxxxxx Cc: Subject: [THIN] Re: HOW TO: Acessing a Terminal Server when the client is behind a proxy The thing is even if you restrict IE, if they have the remote desktop client on their machines or if they have access to IE they can hit the Java Client page. So unless you know which sites on the internet have an RDP Java client available there is nothing you can do (as you will not disable Java otherwise everything else that needs it will not work). Then as I said, Desproxy can be used in an USB Memory Drive, without anything installed on the user PC (bypassing computer software policies/restrictions). If you do not prevent execution for this executable using something like Appsense (not on the TS but now on all desktops!) again, there is nothing you can do to prevent them going out through the proxy. And other apps that I did not mention even support proxy authentication (ISA included for example). Then you have the firewall logs. Unless you know exactly where the user will be connecting there is nothing you can do. Rephrasing, you can do a lot. But this will simply drive any administrator nuts as he would need to find where they are connecting, deploy Appsense or something like that on all desktops, prevent access to all known Java RDP based clients (AND update this probably weekly) etc. This is pretty much an impossible mission. Also connections to "normal" IPs, not on the proxy list of bad, well known sites, and on port 443 normally will not look suspicious at all. I tested this method on a handful of networks in US/Canadian government sites and in all cases I was able to access the remote TS and from there browse anywhere I wanted and even copy files from the TS to the local PC. So I would say this will work in MOST situations and not in SOME situations. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Trey Mears Sent: June 17, 2004 2:03 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: HOW TO: Acessing a Terminal Server when the client is behind a proxy It is worth noting that the tips that Cláudio posted will work in only some situations. There are many ways to combat the kind of "work around" access referred to. And any admin worth his salt would do so to prevent unauthorized access to prohibited resources. It is worth noting that a proxy server is a server that acts as an intermediary between a computer and the Internet. This ensures security, administrative control, and caching. A proxy server and a firewall work together to prevent a direct connection between a client and a remote server. Ways to prevent users from unauthorized use of prohibited resources (Including the methods posted by Cláudio) 1. Use a transparent proxy 2. Use group policy to restrict changes to any IE settings (This can be set at the computer or user policy ) 3. Audit firewall logs 4 Enforce computer use policies This is just a short example of some of the possible methods... Trey Mears Sr. IT Consultant SCM Consultants, Inc. A Tetra Tech Company Kennewick, WA -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Claudio Rodrigues Sent: Thursday, June 17, 2004 9:02 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: HOW TO: Acessing a Terminal Server when the client is behind a proxy Here we go now with lots of firewall admins mad at me. :-) I always question myself. If anyone can do this, is it worth to have a proxy server? Hehehehe. This works for ICA also in case you do not have CSG. And I forgot to mention if you setup your own proxy server at home listening on port 443 you can point your company pc web browser to your own proxy server at home and therefore bypass all their restrictions completely. Another great alternative is OpenVPN in case you want to establish a VPN connection to your remote network (home for example) over a proxy server. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig http://thin.net Sent: June 17, 2004 9:23 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] HOW TO: Acessing a Terminal Server when the client is behind a proxy This is a good post from Claudio I came across that was posted last week on the MS Newsgroup archived at http://groups.google.com/groups?dq=&start=75&hl=en&lr=&ie=UTF-8&group=micros oft.public.windows.terminal_services&selm=%23c%23JFXvTEHA.2408%40tk2msftngp1 3.phx.gbl I thought that this would be good to pass along. Good stuff Claudio. Jim Hey guys, Just a quick How-to for you on how to access a Terminal Server in a remote location when you are behind a proxy server that allows only ports 80 and 443 to the outside. Note this may violate your company policy for internet usage. You can use this approach to pretty much bypass the internal proxy and even surf the internet to any website you want, restricted or not by your company. Again, use this at your own risk as you may be violating internal policies. Scenario: Your computer is behind a firewall and proxy server. Internet Explorer is set to use a proxy server on port 8080 (can be any other port). No other ports are allowed outbound what means you cannot connect to any TS in the outside world on port 3389. Tools you will need: Desproxy: http://desproxy.sourceforge.net/ (no installation is needed. Simply copy the executables to let's say an USB drive so you do not leave any trace on the PC you will use. :-)). Java RDP Client: this is needed if you cannot use 2 PCs at work. The idea is to get your PC listening on a certain port (let's say 3390) and to use another PC to connect to it on 3390. Your PC will them forward all traffic to the remote TS through your proxy. Of course you can use one PC only. The issue is the Microsoft RDP Client is NOT smart enough and when you try to connect to the local PC (127.0.0.1) on port 3390 it complains saying you cannot connect to your own PC... I guess they did not account for this scenario. Anyhow, the link for a web based Java RDP client is http://www.hob.de/webapps/JTerm33/www/normaltest_J1.html. Just setup a connection to your local PC (127.0.0.1) on port 3390 (in this example). If you have a second PC simply launch the Microsoft RDP client and connect to Your_First_PC_IP_address:3390. The terminal server on the remote network (the one you want to access) must be listening on port TCP 443 (and not 3389). If you want to leave the TS on port 3389 or if you need to access a cluster of Terminal Servers, use WTSGateway or WTSGateway Pro from http://www.terminal-services.net and configure these products to listen on port 443 (your TSs can remain on 3389 in this case). Now simply create a batch file that will launch Desproxy: DESPROXY YOUR_TS_IP_Address Port_TS_IS_USING PROXY_SERVER_IP PROXY_SERVER_PORT Local_PC_Port Something like: Desproxy 64.60.123.124 443 proxywww 8080 3390 This will make your PC listen on port 3390. All connections on this port will be redirected to the IP 64.60.123.124 through your company proxy named proxywww (you can use the IP instead) that uses port 8080 for incoming connections. Note I do not support/endorse such procedures and I clearly state you are using it at your own risk and you may be violating your company policies. But if you do need to connect to machines using the RDP protocol and you are limited by a proxy server, this is the way to go. -- Cláudio Rodrigues Microsoft MVP Windows Technologies - Terminal Services http://www.terminal-services.net ******************************************************** This weeks sponsor Vizioncore, Inc. --> vc-iMonitor - Performance Monitoring, Control & Reporting --> vc-iControl - Desktop & Start Menu Management & Reporting vc-iMapper --> - Drive, Printer & COM Management & Reporting http://vizioncore.com/products.html ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor Vizioncore, Inc. --> vc-iMonitor - Performance Monitoring, Control & Reporting --> vc-iControl - Desktop & Start Menu Management & Reporting vc-iMapper --> - Drive, Printer & COM Management & Reporting http://vizioncore.com/products.html ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor Vizioncore, Inc. --> vc-iMonitor - Performance Monitoring, Control & Reporting --> vc-iControl - Desktop & Start Menu Management & Reporting --> vc-iMapper - Drive, Printer & COM Management & Reporting http://vizioncore.com/products.html ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor Vizioncore, Inc. --> vc-iMonitor - Performance Monitoring, Control & Reporting --> vc-iControl - Desktop & Start Menu Management & Reporting --> vc-iMapper - Drive, Printer & COM Management & Reporting http://vizioncore.com/products.html ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm