Access management station from the entire LAN

[Huisje]

Hello,

I would like to set up a way so I can access the management station via the SmartConsole tools from the entire LAN and not just from the IP's I have configured as GUI clients with cpconfig. I do not want to add the ranges of all the LANs here to the GUI clients' IP list though. I was wondering if there was some way I could "bounce" the connection over another host. I have a network monitoring host running linux/debian and ideally I would connect with smartconsole to that device which would relay it to the CP Firewall.

Does anybody have any ideas or tips on how to achieve this? Or maybe a tutorial somewhere?

Thanks.

Kevin

[chillyjim]

port forwarding using SSH will work Port 18190 will get you the policy editor (smartdashboard). Don't know which others you need off hand.

[Huisje]

Thanks Jim.

How do I go about with this? The Dashboard login screen doesn't have an option to enter a place to bounce using ssh, so I assume I will need to set this up on my management host, the one I want to bounce on.

How will it handle the SSH authentication though? I can set up a port forward easy enough, but a bounce is something different all together. I want it to require authentication for the SSH connection and of course it needs to actually change the source address of my traffic because otherwise the CP will not allow it.

Any tips?

kind regards,

Kevin

[chillyjim]

There is a good detailed artical at http://www.securityfocus.com/infocus/1816

But the shourt version is you need a ssh client on the system you are using and an ssh server that can access the firewall

Personally I use an internal linux system as the ssh server and VanDyke's etunnel as my client.

[Huisje]

Thanks again. That article is very clear.

The piece of software you suggest (which I think is called Entunnel, not Etunnel) is not freeware.
I first tested this with "SSH Tunnel Client 3.0" which is free for personal use. Available on many download sites, publisher's page seems to be: http://www.delight.ch/ (but it's in German). This works just as you described.

I then snooped arround some more and found out you can also achieve this with Putty. It is simple and I used this guide to set it up: http://www.cs.uu.nl/technical/servic...y/puttyfw.html

And to the best of my knowledge I can use this for professional use for free.

My management host is a linux machine and already has an sshd running. Tomorrow at work I will test this "for real" since at the moment that host is not allowed as a GUI client on the firewall. I tested this at home with a tunnel to some other application and it works fine, so I'm confident it'll turn out ok tomorrow too.

regards,

Kevin

[Huisje]

Well, this works very efficiently. I have set up Putty to tunnel both CPMI (TCP 18190) and SSH (TCP 22) over my linux management host. Over that tunnel I can access the CP over the GUI from anywhere on the LAN (read: from any network range from which I am able to set up the tunnel to the management host).

Thanks for the help.