The appserver is not really intended to be a proxy for anything.
If you use the NSH Proxy functionality (which everyone really should be doing), I generally recommend adding a second appserver to use as the NSH proxy, in order to allow for a greater number of connections through it without affecting the performance of the appserver itself.
I'm sure there are ways this could be done. Quick thoughts:
Depending on the (appserver) platform
-you could probably use iptables to redirect the ports
- on windows, you could use a tool like AnalogX PortMapper
You should then have your internal firewalls blocking RDP and SSH traffic from ALL hosts except the appserver
Then, using a Custom Command should be doable.
Something like the above would probably do it. It would not be an elegant solution, but it would probably do.
One way people do something like this now:
- disable SSH/RDP by default (use NSH/OM with NSH Proxy for most tasks)
- use a BLPackage/Job to enable it when needed
For the Unix servers, why do you want to have ssh enabled at all? Why not just use nsh to access the servers? That way you can disable sshd altogether or disable all users except for one emergency user for sshd.
For Windows, you probably need to keep RDP running for the GUI apps, but as Jude suggested you could use BL to either start the rdp service when it is needed or possibly create a user with a temporary password on the server so that they can then log and do the work. Knowing when to stop the service or delete the user is a little harder - it could be done on logout or after a certain timeout period.
Thanks for the feedback. Some thoughts:
- Disabling Terminal Services (Windows) or SSH/Telnet on systems and only enabling them through Bladelogic is a great method, but carries some inherited risks which our Organization is not willing to undertake. E.g.: if you have a network outage that blocks appServer/jobserver connectivity to a system, and the System Admins must gain access to a server.
- Using IPtables I think is a great idea to redirect traffic. Does anyone have a sample iptables config that performs this function?
I really wish that BL would do this natively though. I'll ping the Product Managers or put an Enhancement Request in.