Topic: Want to get to server-manager from outside router

[steve288]

Im testing the SME8 (although Im sure this relates to other versions).
I want to get to the server manager from the outside. What I mean by this is ..

[MyRouter doing DHCP] ----- sme server (server mode)
[MyRouter doing DHCP] ----- other devices
[MyRouter doing DHCP] ----- blackberry etc.

This sme only has one Nic.
I can port forward port 22 from router to sme, works fine.
I can port forward the PPTP vpn port 1723, works fine.

However I'm kind of confused. If I want to go to my router eg http://100.100.100.100/server-manager to get to my gui, what do i need to portforward on my router.
I dont want to conflict with my router gui which is http://100.100.100.100:8080

I can connect using pptp and then type in
http://192.168.1.45/server-manager
And this works but how can I directly connect to the interent, via port forward. (asuming that is what I would use.)
Thanks.

[stephdl]

You need an internet static ip or a free service as dyndns.org, no-ip.org and a vpn service activated (as pptp or openvpn bridge contrib) service activated on your smeserver.

Then with port forward to your smeserver (1194 for openvpn) and a vpn client  configured (as networkmanager) on your computer  you should use the server manager outside of your network with an url like this

https://yourdyndns.dyndns.org/server-manager
or
https://your-internet-static-ip/server-manager

[steve288]

I think I may have explained what I want poorly.
I understand getting to my IP address from the outside would.

I think I understand the vpn aspect of the server.

Although I have not used openvpn, I have set up a vpn from my windows 7 to the sme computer by forwarding port 1773 at the router.
This is the port that the vpn software built into sme uses is based on Please see ...
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#PPTP_.28VPN.29
It is not openvpn, but I think it is the same thing, well at least it does the same thing basically. Please correct me if Im wrong.

I think you have asked me to do essentially what I have already done. And I'm also not sure what you have pointed out will work.

If you use vpn software to connect to your computer then you need to use your local IP address like 192.168.1.1 to connect to the sme. An "outside" ip I'm not sure will work. Having said that its not what I want as I dont want to have to start a vpn connection everytime I want to look at the gui.

What port does the server-manager use. It is not 1773 or 1194 I don't think. It is I assume 8080 or some web type port.
I don't want to forward my web port because that means I think I will not be able to connect to my router Gui from the outside eg 8080. I think if I did forward 8080 to the sme then If i did type http://100.100.100.100/server-manager it would work but what would happen if I then used 100.100.100.100:8080 to connect to my router.
I suppose I will just have to try it out and see.

Im open to you or anyone else saying IM wrong. (as if I could stop you Incorrigible lot).
Regards

[crazybob]

Try forwarding port 443 to your server. You will also have to add your remote pc public ip in the remote access panel in server-manager.

[steve288]

I think you are right.

I started doing
[root@testy ~]# sudo netstat -tulpn |egrep http
tcp        0      0 127.0.0.1:942               0.0.0.0:*                   LISTEN      2987/httpd
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      2957/httpd
tcp        0      0 127.0.0.1:980               0.0.0.0:*                   LISTEN      2934/httpd-admin
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      2957/httpd

Of course I thought to self. there are other ports like 443 that could be used.
I added it to the router to port forward.
Then added my https://domain.com/server-manager and it worked.
It HAS to be https not just http.
I need to see however when I'm not inside the network tomorrow. Sometimes I have been fooled into thinking things work when they do not because IM behind the network. As I am right now.
Thanks.

[TerryF]

I use a VPN to connect to all the servers I help with, it is only three , simple, secure and it works.

Make sure the VPN port is forwarded to the server, you said 1773, it should be 1723

Simpley connect to the server manager using the local lans ip for the server https://192.168.x.x/server-manager

This is an excellent doc http://wiki.contribs.org/VPN_practical_tips on setting up a VPN

**after reading again added this

However I believe you want to do this:

http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11

[mmccarn]

Using Putty:
http://forums.contribs.org/index.php/topic,36055.msg160779.html#msg160779

Using a VPN:
http://forums.contribs.org/index.php/topic,36055.msg160771.html#msg160771

[steve288]

TerryF
Yes your right Port 1723, might be confusing to others following this. I miss typed 1773. I think I was getting mixed up with  with US history and 1776.
thanks.

[steve288]

mmccarn
Thanks. Always helpfull as usual.
Yes never thought of that. Have not really used tunneling but I will explore that option.

I have discovered that by forwarding port 443 I can also look at horde mail.
eg https://mydomain/horde
Not that it sends or receives any mail tot he world but I can see the administrator emails remotely.

Thank you.

[hawk]

hi
for quick easy connection to server-manager, i use putty and log into the admin account then option 6. Access Server Manager.

thanks john

[stephdl]

mmccarn
Thanks. Always helpfull as usual.
Yes never thought of that. Have not really used tunneling but I will explore that option.

I have discovered that by forwarding port 443 I can also look at horde mail.
eg https://mydomain/horde
Not that it sends or receives any mail tot he world but I can see the administrator emails remotely.

Thank you.

indeed with 443 forwarded to your sme internal ip you can use this outside of your network for playing with ssh tunneling.

Do this in a root terminal of your computer outside of your network

Code: [Select]

ssh -L 443:localhost:443 root@your-static-external-network-ip-or-host.dyndsn.org
then in firefox the url to see the server-manager will this

Code: [Select]

https://localhost/server-manager

[p-jones]

Steve288,

If you set it up as a server-gateway with two NICs the whole task becomes so much more simple and reliable.

[steve288]

TO: stephdl
So if I use the tunneling procedure, does that mean I dont need to port forward?
Im sort of confused on why to use this process, since I can access the server-manager  with a port forward.
Or does this tunneling method mean I can do it w/out the port forward as its setting up the port 443? Sorry perhaps for asking an obvious question.

TO: p-jones
Yes you are right thanks.
What I'm doing now is just testing sme8 at home, not at work where I have a 7.6 doing a fine job for the organization.  But at home I have this spare computer which strangely has NO bus slots. (Yup) so Im stuck with the nic port on the MB and cant add any more. That's why its in server mode only.  I tried to use a Wifi USB but many posts seem to indicate that SME does not seem to support that. I may have a USB nic but because I was out of luck with the wifi I thought I would be with the usb nic as well.(?) However this has been all a fun educational experience.
Regards.

[stephdl]

TO: stephdl
So if I use the tunneling procedure, does that mean I dont need to port forward?
Im sort of confused on why to use this process, since I can access the server-manager  with a port forward.
Or does this tunneling method mean I can do it w/out the port forward as its setting up the port 443? Sorry perhaps for asking an obvious question.

With the tunneling procedure you have to forward the port 22 and 443 to your sme internal ip else you can not reach your server outside of your network.
With a sme in server mode you must forward at least 993/995/22/443/80. In a server/gateway mode it is a different approach, it depends if you have a router or a modem in front of your sme.

In all events you need some port forward, if you want to be accessible outside of your network, exept for if you are in a server/gateway private mode.

[steve288]

Thank you for that.

The question I was confused on was what is the difference between not using the ssh commands you have suggested and ONLY using port forward, since it works with or without your command to get to my server-manager. And I think (correct me if im wrong) is that if I just use portforward I have to access it with the address "mydomain/server-manager" as opposed to "mylocalip/server-manager", if I use the tunneling method right ?
Regards

[janet]

steve288

If you have port forwarded in your router (in conjunction with enabling server manager access in the server manager Remote Access panel), you are using https, then theoretically anyone on the net can access it, it's just a matter of falsifying their source IP & hacking the password.
Edit - This statement is not correct as Charlie points out in a later post ie "because of the way TCP works, it's not possible to make a port-forwarded connection from the Internet through a router using a spoofed source IP address of 192.168.X.y. The TCP handshake will fail and there will be no connection. The risk you've identified just does not exist."

So you only have one level of security (password) to protect probably the most important "function" on your server.
Edit - and this statement only applies if a hacker is accessing via a site IP specified in the remote access panel.

Edit - This whole issue is why it is not recommended to allow access to server manager from anywhere on the Interent, using the appropriate setting (which I will not repeat here).
Under those conditions it is just a matter of hacking the admin password.

Using the VPN method requires a VPN to be established first which makes you a part of the local network, so security is better, but recently we see issues where VPN connections are less than secure as the ISP can read your communications if they choose to. There may be a shift away from the use of VPN because of this security issue.

By tunnelling you use a secure ssh connection, as good as it gets in a practical world, so security is reasonably well assured. After establshing the tunnel using Putty, typically you then open a browser at https://localhost/server-manager

ssh using tunnelling or command line input is the most secure method.
Port forwarding is not really the connection method, it's just allowing the connection to be fowarded by your router to your sme server, where your router is acting as your local gateway, note you are using https then, and all that is needed to gain access to your system is a correct password. So make sure you use really strong passwords for server manager, and always specify the remote connection fixed IP (in server manager Remote Access panel).

[CharlieBrady]

If you have port forwarded in your router (in conjunction with enabling server manager access in the server manager Remote Access panel), you are using https, then theoretically anyone on the net can access it, it's just a matter of falsifying their source IP & hacking the password.

Mary, because of the way TCP works, it's not possible to make a port-forwarded connection from the Internet through a router using a spoofed source IP address of 192.168.X.y. The TCP handshake will fail and there will be no connection. The risk you've identified just does not exist.

crazybob has correctly noted that particular remote IP addresses can be configured to be permitted access to the server-manager. Only IP addresses within that range can access the server-manager URL and attempt to log in ("hack the password").

[steve288]

Like a junk yard dog Im going to keep chomping on this bone.
Thanks for shareing regarding the various connection security issues, helpfull.

And yes thanks CB I do only allow certain IP's to access the manager. So I believe im "reasonably" secure.

However I still need to ask the question, is the ssh method then just to create a secure tunnel between the two machines so people can't see the data that Im passing back and forth, (for lack of a better word).
In other words is the ssh method just for that reason, and not for any other.
I was thinking is was for some other reason like it would set up a 443 connection through a port 22 connection, thus not requiring you to port forward port 443 in the router if you had only forwarded port 22.

Sorry if Im not explaining it well enough. If I dont understand its hard to ask the question with some intelegence.
Regards.

PS I wish that there was a way to change the Admin name (I have done no research on this I admit.) On windows I have disabled the ability on servers to have a remote connection via administrator and have created an admin acount called say "Joefresh" That way when people try to break in from outside it creates another thing to slow them down. Not only do they need the password but they also need the right name. This would make it very had to get both these right.

[CharlieBrady]

PS I wish that there was a way to change the Admin name (I have done no research on this I admit.) On windows I have disabled the ability on servers to have a remote connection via administrator and have created an admin acount called say "Joefresh" That way when people try to break in from outside it creates another thing to slow them down. Not only do they need the password but they also need the right name. This would make it very had to get both these right.

If you prefix your passwords with 'Joefresh' and continue to use 'admin' as username then you've introduced exactly as much additional difficulty in bruteforcing access to the account. So it's not necessary to change your admin username to get whichever level of difficulty you require. Just choose a suitably difficult to guess or bruteforce password, and protect that password suitable (don't share it, don't give it away if people ask, etc).

[janet]

CharlieBrady

Mary, because of the way TCP works, it's not possible to make a port-forwarded connection from the Internet through a router using a spoofed source IP address of 192.168.X.y. The TCP handshake will fail and there will be no connection. The risk you've identified just does not exist.

Thank you Charlie for your correction & clarification.

[janet]

steve288

Google
what is a ssh tunnel

There are numerous answers which should be informative to you
eg http://en.wikipedia.org/wiki/Tunneling_protocol
and others
No need to rewrite the manual here

[steve288]

Well it was less what tunneling is but rather what the purpose of it is in this case.

Just not to leave this hanging for others I have tested this out.
What I have learned is that when you set up a tunnel using the ssh command line above or the putty method that  mmccarn suggested, is that you can then access your server-manager and webmail via the literal address of
https://localhost/server-manager or https://localhost/webmail. I'm not sure why you would want this but its interesting and I have learned something.

[stephdl]

you can then access your server-manager and webmail via the literal address of
https://localhost/server-manager or https://localhost/webmail. I'm not sure why you would want this but its interesting and I have learned something.

You don't need tunneling to see the webmail, you simply need to allow your webmail

I have setup a page on the wiki
http://wiki.contribs.org/Useful_Commands#SSH