From danielk at nikhef.nl  Tue Aug 29 16:19:47 2017
From: danielk at nikhef.nl (Daniel Kollmer)
Date: Tue, 29 Aug 2017 16:19:47 +0200
Subject: [Thinlinc-technical] server->agent proxy
Message-ID: <2706d9fc-5e80-ebf1-571b-be19a9743a3d@nikhef.nl>

Hello

I am new to the list, so a quick introduction first. I am Linux System
Engineer for the Dutch Institute for Particle Physics. We have just set
up Thinlinc as an environment for our educational computer lab where
students receive courses in scientific computing applications. Next week
Monday it will be used the first time for a course, so we are looking
forward to see how things work out.

At this time, we are only using the Thinlinc setup internally, but we
would also very much like to offer the possibility for students to log
in from home or abroad. The way how Thinlinc builds its sessions this
would require that we open ports 22 and 443 (for tlwebaccess) across our
whole range of agent IP adresses to make that possible. Our security
team is reluctant to do so, therefore I was thinking of possibilities to
build a sort of proxy setup where external users can connect to one
entry point (like the Thinlinc server for example) and then be passed
through to the Thinlinc agents transparently i.e. without their ssh or
https connection being redirected from their perspective.

Does anyone have experience with such setups or any suggestions on how
to approach this.

Any ideas are welcome.

Kind regards;

-- 
D. Kollmer
Computer Technology Group
NIKHEF - Dutch National Institute for Sub-atomic Physics
Science Park 105 1098 XG Amsterdam
Phone: +31205922164


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cendio.se/pipermail/thinlinc-technical/attachments/20170829/744743a6/attachment.sig>

From vitaly.zverev at gmail.com  Wed Aug 30 11:09:11 2017
From: vitaly.zverev at gmail.com (Vitaly Zverev)
Date: Wed, 30 Aug 2017 12:09:11 +0300
Subject: [Thinlinc-technical] server->agent proxy
In-Reply-To: <2706d9fc-5e80-ebf1-571b-be19a9743a3d@nikhef.nl>
References: <2706d9fc-5e80-ebf1-571b-be19a9743a3d@nikhef.nl>
Message-ID: <8B8628B7-C58B-4E4A-BAAA-711DCADE8165@gmail.com>

Hi Daniel,
whenever we're looking on security side of networking it's time to think about 
lovely pair: model of invader and associated police (vpn, firewall, etc). Nothing new.
As usually, hardest part of work relies on proof about safety in such pair.
Drilling of ports in firewall for reverse proxy looks like longer wires to detonator.
It's gift for smart invader, not for scientists near the neutron accelerator in the center of Europe. Just ask your security team about existing proof of safety and keep smile :)

Vitaly.

> On 29 Aug 2017, at 17:19, Daniel Kollmer <danielk at nikhef.nl> wrote:
> 
> Hello
> 
> I am new to the list, so a quick introduction first. I am Linux System
> Engineer for the Dutch Institute for Particle Physics. We have just set
> up Thinlinc as an environment for our educational computer lab where
> students receive courses in scientific computing applications. Next week
> Monday it will be used the first time for a course, so we are looking
> forward to see how things work out.
> 
> At this time, we are only using the Thinlinc setup internally, but we
> would also very much like to offer the possibility for students to log
> in from home or abroad. The way how Thinlinc builds its sessions this
> would require that we open ports 22 and 443 (for tlwebaccess) across our
> whole range of agent IP adresses to make that possible. Our security
> team is reluctant to do so, therefore I was thinking of possibilities to
> build a sort of proxy setup where external users can connect to one
> entry point (like the Thinlinc server for example) and then be passed
> through to the Thinlinc agents transparently i.e. without their ssh or
> https connection being redirected from their perspective.
> 
> Does anyone have experience with such setups or any suggestions on how
> to approach this.
> 
> Any ideas are welcome.
> 
> Kind regards;
> 
> -- 
> D. Kollmer
> Computer Technology Group
> NIKHEF - Dutch National Institute for Sub-atomic Physics
> Science Park 105 1098 XG Amsterdam
> Phone: +31205922164
> 
> 
> _______________________________________________
> Thinlinc-technical mailing list
> Thinlinc-technical at lists.cendio.se
> Manage your subscription:
> http://lists.cendio.se/mailman/listinfo/thinlinc-technical