Topic: no remote access to server-manager

[hjpal]

My sme server is hosted remote.
I have ssh acces and can do db configurations etc. and access files.

I cannot however access remote-manager through web browser - I get access denied

Can anyone help med gain access throug shell commands?

[cactus]

Can anyone help med gain access throug shell commands?

Since you are able to SSH into your machine you should be able to access server-manager through the admin console when logged in as admin.

You should then also be able to configure remote access to server-manager from your IP address through server-manager on the remote access panel as it states:

Remote Management

It is possible to allow hosts on remote networks to access the server manager by entering those networks here. Use a subnet mask of 255.255.255.255 to limit the access to the specified host. Any hosts within the specified range will be able to access the server manager using HTTPS.

Tip: It is better to setup VPN to the server as that is more secure then exposing your server-manager to the outside world.

[hjpal]

I have not had any success with the admin console. I have tried that.
Even though I type root plus password I get Invalid username or password

[cactus]

I have not had any success with the admin console. I have tried that.
Even though I type root plus password I get Invalid username or password

You said you had SSH working and now you are saying you cannot login as admin. Are you or are you not able to login using SSH as root?

You should use "admin" as username not root, with the same password (if you did not alter it), for server-manager (as well as the console). Please read the manual especially the tip: http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter6#The_Server_Console

Here is how to login to server-manager through the admin console: http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter6#Option_6:_Access_server_manager

[hjpal]

you are right. The console may be accessed when admin is used. Thankyou.

But it would be nice to know if public access could be granted to different services using db configuration - I have not been able to.
I wonder if iptables may be accessed directly or should be avoided.

[hjpal]

regarding this:

It is possible to allow hosts on remote networks to access the server manager by entering those networks here. Use a subnet mask of 255.255.255.255 to limit the access to the specified host. Any hosts within the specified range will be able to access the server manager using HTTPS.

What I can do REMOTE: access server console and through the console access the text-based server-manager
What I can't do: access server-manager via https://remoteserver/server-manager (this is rejected with an http 403 error)
And I would like to be able to do the latter.
db configuration show httpd-admin gives the remote network adress in the ValidFrom variable, access is localhost and status is enbled.
netstat -ant shows amongst others listen to 443,980,22
Does anyone have an idea why I cannot connect via browser?

On an XP I can establish a VPN connection connected as admin. But I don't know how I get to the graphical server-manager throug the established VPN connection.

[Stefano]

What I can't do: access server-manager via https://remoteserver/server-manager (this is rejected with an http 403 error)
And I would like to be able to do the latter.

and it's a very bad idea..

the best way is to do a vpn, then simply go to http://lan-ip-of-sme/server-manager

or you can create a ssh tunnel with

Code: [Select]

ssh root@remoteipofsme -L443:localhost:443

then simply open a browser and go to https://localhost/server-manager

the latter works in any case.. with vpn you can have trouble if internal ip of SME is in the same class of your lan

HTH

[janet]

hjpal

Server manager remote access is blocked by default for security reasons.

Look in the Remote Access panel in server manager (you can initially configure it in the text based server manager).
Add the remote host IP for each location you wish to access server manager from.

Alternative access methods have been suggested earlier in this thread.

Once you have a VPN connection established, you can access it using
https://localIP/server-manager
eg
http://192.168.1.1/server-manager

If WINS is setup correctly in your VPN setup, then you should be able to use
https://servername/server-manager
or
https://www.yourdomain/server-manager
(assuming that is resolvable via your VPN connection)

You can also create a VPN tunnel in Putty, and once that is established, then access server manager using
https://localhost/server-manager
Search forums or google for how to create a tunnel using Putty, it's so easy.
Quick howto
Create a normal Putty session parameters & save them, with these extra steps
Connection - SSH-Tunnels-
Add new forwarded port
Destination: localhost:443
Source port: 443
dot next to Local
then click Add button
This adds an entry in the Forwarded ports box as:
L443  localhost:443


Using any of these methods keeps your server protected from attack via server manager, rather than using other workarounds (which do exist) to open up server manager access to the whole Internet, which is definitely NOT recommended.

[janet]

Stefano et al

...the latter (SSH Tunnel) works in any case.. with vpn you can have trouble if internal ip of SME is in the same class of your lan

That's why it's a good idea to have any servers you deal with on different LAN IPs (from each other).
Also VPN can sometimes be problematic from differing locations, and a connection is not always guaranteed depending on what equipment you traverse.
I rarely (never) have problems with SSH, so a SSH tunnel is very reliable way to then get to server manager.

[Stefano]

I rarely (never) have problems with SSH, so a SSH tunnel is very reliable way to then get to server manager.

since I'm using linux (almost windows free on my side), I prefer ssh, always

[hjpal]

Thankyou all.
I am on an XP. The Putty ssh tunnel suggestion worked.
The VPN tunnel did not - presumably because local ip is in the same class, which one warned.

I am aware of all the bad idea warnings, but I still don't know why a direct https connection to server-manager is rejected.
And yes - the remote host is added which I can see now in both server-manager and through a db configuration show httpd-admin

[janet]

hjpal

The VPN tunnel did not - presumably because local ip is in the same class, which one warned.

You can use https://servername/server-manager if you configure the WINs server to be the remote SME in the VPN setup

I am aware of all the bad idea warnings, but I still don't know why a direct https connection to server-manager is rejected.

Because for security reasons that is the default design, and the firewall code blocks it.

And yes - the remote host is added which I can see now in both server-manager...

Because it reconfigures the firewall code and unblocks access only for that host IP or IPs (if more than one configured).

To see use
iptables -L

[cactus]

I am aware of all the bad idea warnings, but I still don't know why a direct https connection to server-manager is rejected.
And yes - the remote host is added which I can see now in both server-manager and through a db configuration show httpd-admin

As you have been told by me and others already, because you need to configure it explicilty to allow it, see my first post in this thread:

Since you are able to SSH into your machine you should be able to access server-manager through the admin console when logged in as admin.

You should then also be able to configure remote access to server-manager from your IP address through server-manager on the remote access panel.

[hjpal]

As you have been told by me and others already, because you need to configure it explicilty to allow it, see my first post in this thread:

I don't know if we are talking about the same thing. As I have mentioned a couple of times, I believe that I have allowed explicit remote management access. In server-manager - security - Remote access under Remote Management the network and subnet mask of the remote network from which I want to access the server manager using https is added and visible. I have also told, that a

db configuration show httpd-admin

shows the same remote network address. So you must be talking about something else that I have missed to do.

So apart from that - what more must be done then?

[janet]

hjpal

..what more must be done then?

What you have done sounds correct to allow access ONLY from the specified remote host external (public) IP ie from PC's etc behind that gateway.
This is my setting & it allows access to server manager from PC's on the remote host IPs.

httpd-admin=service
    PermitPlainTextAccess=no
    TCPPort=980
    TKTAuthSecret=xxxxxx
    ValidFrom=110.xxx.xx.xxx/255.255.255.255
    access=localhost
    status=enabled

Are you saying that under those circumstances you still get a 403 error ?
Does https access work at all to the SME eg
https://yourdomain.com
If you are using a seperate firewall have you forwarded port 443 to the SME server
do a port scanning test at grc.com

Please explain exact your issue further.