Traversing firewalls

Networking today is almost always a matter of running a cable from one end to the other, plugging it in to routers and letting the DHCP server take care of everything. Microsoft has spoiled everyone by giving them a GUI to handle all the hard work. The nitty gritty of such tasks doesn't effect Mac users because, firstly, has anyone ever heard of a Mac Server, and, secondly, the Mac users just don't care.

Just kidding, you Mac people, I know you take exception to such remarks. Now cool down, and go back to your iTunes.

Anyway, to get back to the networking post. The topic of today is how to connect across firewalls.
Let me layout the scenario for you. There is the simple case where you have servers behind a firewall. Like so:

In the above layout, all the servers and the accessing laptop run one or other version of Microsoft Windows. Why? Cuz I says so. Seriously, because that's the setup that I have. My laptop runs Windows 7 and all the servers run Windows Server 2003.

Also note, that in the above diagram I have left out a lot of IP addresses. That is because they are not relevant for the purposes of today's post; you are just concerned with the ones mentioned.

To connect to any of the servers, you simply run the VPN setup wizard and let things take care of themselves. Now you can access the servers using Windows Remote Desktop (RDP), Microsoft Team Viewer, Web browser or whatever. Pretty standard and you probably do this on a regular basis. Nothing to it and hardly worth mentioning.

I mention this just to layout the scenario for a more complicated setup.

In my case, a number of 3rd parties allow me access to their servers but only from my servers using a site-to-site VPN tunnel. To make life more complicated, they have security in place (using Cisco Access Control Lists) to only allow connection from selected IP's. That means that only my "Server 1" and "Server 2" can access those partner servers. Below is what the scenario is:

As you can see, there is a second firewall between my laptop and the target server. All the partner servers run one or other version of Linux (RedHat, CentOS, etc). To work on these Linux servers, I need to get an SSH session. Also, ftp for that matter, but having the ability for one automatically gives the other.

What I was doing previously was a real kludge: I would first use Windows Remote Desktop to get a session on my "Server 1" then from there use PuTTY and ftp to work on the Linux servers.

There are two major disadvantages to this way of working.

Firstly, this puts a lot of load on my communications line as the RDP GUI session is being replicated here on a pixel-by-pixel basis. Also, to transfer files in either direction, I had to ftp them first to "Server 1" and then to the destination. A real time waster.

The second, and worse, problem was that a number of my colleagues had to work on the Linux servers at the same time and RDP has a limit on the number of connections that a Windows Server allows. Hence, a lot of my time was spent in listening to complaints how people could not work as they could not find an available session.

SSH to the rescue!

A bit of Googling and posting to newsgroups introduced me the tunneling capabilities of PuTTY. A special thanks to Angel Gonzalez of openssh-unix-d mailing list.

PuTTY can set up a tunnel along with an SSH session that allows forwarding of port requests to the SSH server. Now, this is the important bit so be sure to read it carefully: What PuTTY can do is tell the server to forward local requests. i.e. you start a session where you specify a local port but PuTTY takes that requests and sends it to the SSH server to do the forwarding. A sort of double-forward configuration. This confused me at the start as I was trying to do it in one go. The trick is to configure this in two steps.

First of all, I needed a SSH server on my W2K3 "Server 1". I got that from Source Forge. Setting it up is a snap. Run the installer then read the quick start guide. Believe me, you can't make it work without reading it. A good example is given here.

Test is by running PuTTY on your laptop and opening an SSH session to your server. In my case, to 192.168.0.1. One problem that I had was that the cursor keys didn't work. Another was that if I ran any program that opens its own window, I couldn't see it. (Well, of course!). Not to worry, we don't really need to bother with either.

Time for the configuration.

What we need to do is tell PuTTY to open an SSH connection plus set up the port forwarding. To do this, follow these screen snapshots.

Configuring the SSH session:

The IP given here is that of "Server 1". Port 22 is the standard SSH port.

Configuring the tunnel / port forwarding:

You would need to add multiple entries here. The port number is any free port on your local computer. What this is doing is double-forwarding port 5001 requests to the local computer to port 22 of the destination. Add an entry for each of the remote servers. You don't specify the W2K3 server's IP here as it is already mentioned on the first screen. Now go back to the first screen and save your session.

The thing to remember is that the tunneling rules do not initiate first but after the SSH session is established.

Configure the remote session:
Open a fresh copy of PuTTY and use these values on the first screen only. Do not enter anything on any other screen.

Save this entry for "Remote 1". Make new fresh entries for other remote servers.

Connecting:
Now, connect the first session that you made for "Server 1". You will get a login prompt for the W2K3. Enter your user id and password and you will see a DOS prompt. Ignore it. Minimize the window. What we have done is opened an SSH session that we don't need to have the tunnels running that we do need.

Finally, connect the SSH sessions for the second entry, the one with 127.0.0.1 as the host name and you'll get a prompt for the Linux login. Tada!

Hopefully, from the above, you'll understand that the same thing will work for ftp as well.