Currently users RDP from their workstation to a server over a VPN and then run putty from that server to connect to the customer's server over a different VPN. We are unable to create a separate physical or logical path to the customer's server because there are some finicky configurations on their end so that the legacy software will still function.
How can I configure a way to allow our users to pivot off of our server to the customer's server directly from their workstations without using RDP to connect via SSH to the customer with an interactive prompt?
I've been trying to use plink, but I'm open to suggestions of other software if needed.
Below is a basic picture showing the connectivity.
Related
Having created a Windows Azure VM and opened ports 3389 and 22 for inbound RDP and SSH connections, respectively.
I can successfully connect to the vm via RDP from a remote Windows PC.
Testing SSH connection in the Portal succeeds. However trying to connect from a remote Linux VM using SSH fails.
Given that SSH connection test within the portal succeeds, it suggests that (1) it is possible to SSH into a windows VM; and (2) there is no other config require on the server ie installing OpenSSH (or similar) / Copying over key file(s) to some location etc. However, the help steps in the Azure Portal for my Windows VM, for making remote SSH connections suggest that maybe a public key needs to exist on the server and that I need the private key on the LinuxVM I am trying to connect from.
Please could someone help me understand if ssh into windows Azure VM is possible and if so, the requirements / minimum set of steps (on the target Windows VM and the source Linux VM) I need to get to a state that I can successfully SSH.
Other posts re similar question posted have not helped me connect via ssh. I have not found a 'golden source of truth' on Microsoft docs. Maybe I missed it.
Thank you.
A Windows Server doesn’t typically come pre-built and ready to go with SSH access and it requires some setup. You can follow this to set up your Azure VM for SSH access. You can configure SSH on a Windows Azure VM for access, check out How to Set Up OpenSSH on a Windows Server. After deploying the OpenSSH, you can follow the steps about connect via SSH with client in the Azure portal on your Linux client to access that Windows VM via SSH.
I have a scenario where I have a Windows VM in windows Azure that needs to connect to an external customer network (and connect to a database that is not in Azure).
This traffic is uni-directional in that it is only my VM that needs to connect to the customer's databases and not the other way around. Site to site is managed on Azure, which I cannot really test locally.
Conceptually, connecting to the customer's network via a point-to-site VPN seems more suitable (by creating the VPN connection in Windows itself via the network config).
The customer prefers site-to-site even though they don't need to connect to my VM. Am I missing something?
In point-to-site, you have to connect to the network you want to access manually. Usually, if you log-off or restart the workstation it loses connection, and you have to reconnect every time. It's common to use this type of VPN when we are working remotely, and we need to access our company assets. The channel is bi-directional, but it's 1-to-many.
Site-to-site is used when you want to connect two networks and keep the communication up all the time. It's also bi-directional, but it's many-to-many and stays up no matter if your server/workstation is running or not because the connection is established through a network gateway and not from the computer operating system.
In Azure, the Virtual Network Gateway is the platform providing both functionalities. You can configure site-to-site to connect to your customer network. If this network is not running in Azure, they usually have an appliance to establish dedicated tunnels. As long as it supports IPsec IKE, you are good to go.
If you are using the VM in Azure as a workstation, then point-to-site may be enough, but if your application needs to get data from the customer database automatically with or without someone logged in the VM, then site-to-site is a better approach.
A better explanation can be found here
I have a client who is remote. I need to debug some weird problem that none of my other clients are having. Before I try and set up a conference with this client, I would like to know if there is some way of remotely debugging our application.
I see that there are remote debugging tools available for Visual Studio, but from what I've read, I need to be on the same subnet. As the person is remote, this is not a possibility. Also, as I'd like to keep our connection secure, I would need to connect up some sort of encrypted tunnel (this is where I'm a little fuzzy as my networking skills are mostly theoretical).
As I understand it, an encrypted tunnel is a bridge to another (different) subnet. This is to ensure that those computers on the other side won't interfere with the local subnet computers.
So, because the client's computer is on a different subnet, I think that this is not possible. Or is it? Should there not be a way of making the client's computer show up as a virtual computer on my subnet, by forwarding packets from one subnet to another? I would think that this is theoretically possible, but I'm not exactly sure how I would go about this.
Also, at the moment, my current way that we connect to clients is through GoToMeeting, but I don't think that it supports tunneling. If not, then I may need some way of generating a tunnel, so I was also thinking of maybe using some SSH programme like PuTTY.
As I have said before, my knowledge of networking is quite theoretical, so if the tools that I am suggesting are not the correct ones, please correct me. (I'm a programmer, damm it! Not a network engineer!)
Both computers are Windows boxes. Windows 10 (client) and Windows 8.1 (development).
If you can connect to an ssh server in the remote network, you can (subject to configuration on the server) create a tunnel such that you connect to a socket on your local pic and the connection appears from the server to an endpoint on the remote network.
You'll want to investigate the -L command of OpenSSH, which combined with the PuTTY docs, should help explain what's required.
By default, the endpoint would be a port on the ssh server, but it could be a port on a different host that the remote server can connect to.
I'm not familiar with the current state of Windows SSH servers, but even if there isn't a system server to hand, you should be able to have on run 'on demand' - if you run it on a non-privileged port and by the user you want to connect in as, it shouldn't even need Admin privileges.
I'm not familiar with GoToMeeting, but the one thing with SSH tunnelling it that IT depts should be familiar with SSH. If trying that, focus on getting a working connection in, then setting up the tunnel, then connecting through it as separate steps.
Once you have an SSH connection, then it doesn't need to do something itself, and you can then investigate connecting while specifying the port forwarding, but will will need to get the basic connection working correctly first.
I have set up a Win XP machine at work that we use as our server, to allow RDP connections. This allows all our staff to access the server from home when needed. As it is not a server OS, we are missing many of the terminal services features a regular server would have. The machine only allows one RDP session at a time (which is a minor inconvenience, but not a big deal).
What is bothersome, is that no one can tell if the server is currently being used in an RDP session, and we all keep booting each other off. Every solution I have found online assumes the remote computer is a Server OS or on a local network/domain. Our staff's home computers are not connected to the office network and we have no domain set up at the office.
Is there any way to tell if the server is in an RDP session before remoting onto the server from home? Ideally we would be able to detect which home computer is accessing the server. But if that is not possible, it would be extremely helpful to at least know that an RDP session is running.
We were previously using logmein, which could tell us if the remote computer keyboard and mouse were active and allow a chat with the user currently remoted on/physically on the machine. This was extremely convenient, but involves logging onto the logmein website and going through a semi-lengthy process of connecting. It is also much slower and resolution is much worse than RDP. Not super convenient for regular daily use.
This post deals with the same issue
https://superuser.com/questions/313390/ways-to-check-if-user-is-active-on-remote-machine-before-rdping
but the accepted response is to use qwinsta on cmd, which I believe is only available on server OS's. Other responses include using psexec (I've tried using psloggedon.exe, but this appears to only work for users on the same domain). Another suggests using the wmic.exe command, but when I try that I get the error: The RPC Server is unavailable (I think this also needs to be run on the same domain).
So basically - is there any way to check for active rdp sessions on a Win XP machine from a remote computer not on the local network/domain?
I'm open to outside-the-box solutions like writing a simple app to run on the xp server and tell remote machines what IP is connected in an RDP session.
Going on Harry Johnston's suggestion, I wrote an app which finds who is connected to the xp machine on port 3389, and relays that information by udp to receiving apps. Now we can check if someone is connected and who it is before unwittingly booting them off. Thanks Harry!
There is a server in my company and many people in the company work on it by Putty. We installed the Putty for our own computers to remote the server. BUT all of these happened in the company's inner web.
Now I want to remote the server from outer web. For example, I am home and I work on the company's server. For now I dont know how to realize this.
How can I configure the server and my PC at home?
Need I make some configuration for the router of the company? How?
Thanks in advance.
Assuming your company has a competent IT staff, there is a firewall that blocks incoming SSH attempts out. (It is called SSH, not Putty. Putty is just a program that Windows users tend to use for SSH.) Inside the company's network, you can SSH. So, from home, you will hit a firewall and you can't SSH in.
Does your company have a VPN system? If so, use that. There are many forms of VPN. Your company's IT staff can tell you how to configure your home machine so it can connect to the company's VPN. Once it does that, it will be as though your home computer is inside the company. You are inside the firewall. You can SSH.
You can ask if they will open the firewall for you. They shouldn't, but you can ask.
If you don't have VPN, all is not lost, but it gets more difficult. I don't expect you to do this, so I will only list the steps.
Install an SSH server on your home computer. Get it up and running. SSH into it from another computer at home.
Forward incoming port 22 requests to your home's firewall/router to your home computer so you can SSH into your home machine from outside your house, ie: From work. Test it from work to ensure it works.
Set up a reverse port forward SSH connection from the server at work to your home computer. What this does is initiate an SSH connection from the work server to your home computer. It then listens on a port on your home computer (pretend you used 2222 as the port). Now, from home, you SSH to your home computer (localhost) on 2222 and it connects over the previously made connection to the server at work.
Your IT staff might notice that you did this. They probably won't like it because you are bypassing their firewall.
You can either forward the port of the server to the public internet, or you can set up a VPN located inside your company's LAN that can be reached from outside the LAN such as OpenVPN.
Note: If you are planning to forward the server directly, make sure the server's security settings are set up correctly to prevent misuse of attackers. You can also restrict access to specific IP addresses using a firewall.
Assuming that your server is behind corporate network, you MUST require a VPN connection to access it. Talk to your IT department and they will be able to help with setting VPN connection.