3 Replies Latest reply on Aug 21, 2009 3:13 PM by Vinnie Lima

    How to force proxy RDP/SSH connections through app server?

    Vinnie Lima



      We have a requirement to restrict System Admin access to a windows or Unix/Linux server only via the BL CM GUI, so that we can enforce the RBAC definitions.  We would like to perform this by requiring the SAs to launch an RDP or SSH/Telnet request to a target system via Bladelogic.


      Today - this is done via Custom Commands and works fine.  What we would like to do additionally is to restrict *direct* RDP/SSH/Telnet access to the managed server. To do this, we have to find a way for Bladelogic to "tunnel" or proxy the client connection through Bladelogic (similar to how NSH proxy works).


      Has anyone found a way to only allow RDP/SSH/Telnet connections to a managed server IF they have been sourced from the CM GUI?  Opsware has this capability (not sure how it is done) but quite handy.  I believe what would be required is for some sort of dynamic port redirect to be established when the user selects the custom command, which would force the RDP client to connect in the following fashion:


      RDP Client ---> AppServer(on random port) ---> redirect to target (destination port).


      Obviously some level of access control/clean up of these port redirects would have to occur to prevent intrusion.


      Thanks for any insight.



        • 1. Re: How to force proxy RDP/SSH connections through app server?

          The appserver is not really intended to be a proxy for anything.

          If you use the NSH Proxy functionality (which everyone really should be doing), I generally recommend adding a second appserver to use as the NSH proxy, in order to allow for a greater number of connections through it without affecting the performance of the appserver itself.



          I'm sure there are ways this could be done.  Quick thoughts:


          Depending on the (appserver) platform

               -you could probably use iptables to redirect the ports

               - on windows, you could use a tool like AnalogX PortMapper


          You should then have your internal firewalls blocking RDP and SSH traffic from ALL hosts except the appserver


          Then, using a Custom Command should be doable.


          Something like the above would probably do it.  It would not be an elegant solution, but it would probably do.



          One way people do something like this now:

          - disable SSH/RDP by default (use NSH/OM with NSH Proxy for most tasks)

          - use a BLPackage/Job to enable it when needed

          • 2. Re: How to force proxy RDP/SSH connections through app server?
            Paul Seager-Smith

            For the Unix servers, why do you want to have ssh enabled at all? Why not just use nsh to access the servers? That way you can disable sshd altogether or disable all users except for one emergency user for sshd.


            For Windows, you probably need to keep RDP running for the GUI apps, but as Jude suggested you could use BL to either start the rdp service when it is needed or possibly create a user with a temporary password  on the server so that they can then log and do the work. Knowing when to stop the service or delete the user is a little harder - it could be done on logout or after a certain timeout period.





            • 3. Re: How to force proxy RDP/SSH connections through app server?
              Vinnie Lima

              Thanks for the feedback.  Some thoughts:


              • Disabling Terminal Services (Windows) or SSH/Telnet on systems and only enabling them through Bladelogic is a great method, but carries some inherited risks which our Organization is not willing to undertake. E.g.: if you have a network outage that blocks appServer/jobserver connectivity to a system, and the System Admins must gain access to a server.
              • Using IPtables I think is a great idea to redirect traffic.  Does anyone have a sample iptables config that performs this function? 


              I really wish that BL would do this natively though.  I'll ping the Product Managers or put an Enhancement Request in.