NA IT tech check

Let'sgoflying!

Touchdown! Greaser!
Joined
Feb 23, 2005
Messages
20,264
Location
west Texas
Display Name

Display name:
Dave Taylor
IT guy says the way to get my laptop to remote into my server (Winserver2012) is by asking ATT to enable port forwarding on my Uverse box.

Sound about right?
 
I would...suggest..you use a lot of caution. Exposing all of the ports of a Windows Server is..well..a really good way to get hacked. You'd want to be installing updates on everything on this server religiously and weekly at minimum.

You'd be *way* better served with a VPN solution.
 
I would...suggest..you use a lot of caution. Exposing all of the ports of a Windows Server is..well..a really good way to get hacked. You'd want to be installing updates on everything on this server religiously and weekly at minimum.

You'd be *way* better served with a VPN solution.
This ^^^^
 
Agreed on using a VPN. I just answered the specific question without answering whether it was a Good Idea(TM) or not. :)

I wouldn't expose a Windows server to the Net directly. I barely expose Linux machines and only when necessary.
 
But if you want to... Just port forward 3389 on your router to your internal server ip. Better solution is throw teamviewer on it.. Free.
 
he did use the term VPN
So I am confused why he needs this.

Perhaps he's planning to set up the built-in Windows Server VPN software, which would make the Windows Server itself the VPN endpoint, and you have to expose it to the Net a little bit to make that happen. It generally isn't considered "all that great" to use a server as a VPN router...

We all probably need more detail on what he's planning to do to really analyze that part...

Which is why I just answered the "How to do port-forwarding on AT&T U-Verse" direct question and stayed out of the rest of it. :) :) :)

Generally for a small biz, I would recommend using a "real" router (and having AT&T put theirs into "bypass" mode) that has a VPN feature and is totally under your control for things like the VPN...

In fact, normally I dislike the carrier's routers. Sometimes they'll do everything you want them to, but in general they've always been a little bit more "limited" on feature set, and I'd rather the carrier just deliver the network and stay out of my routing... but that's a very DIY type of attitude... and it's not TOTALLY necessary these days...
 
You can pick up a used Cisco ASA 5505 pretty cheap, now that the 5506's are out and use Cisco AnyConnect SSL VPN. Real easy to use.

Edit: Here is one on eBay for $165. It comes with a license for two SSL VPN peers. http://www.ebay.com/itm/Cisco-ASA55...669738?hash=item35fd0bb5aa:g:qPMAAOSwwbdWJS0x

Admittedly, I've never setup any Cisco gear. But how might that compare to the RaspiVPN I configured recently?

To keep this on topic (and potentially helpful), if the OP either knows someone with some tech knowledge or wants some help, this is the route I decided to go:

http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/

Total cost was about $50 and I can access my network resources from anywhere in the world that I have an Internet connection.
 
Admittedly, I've never setup any Cisco gear. But how might that compare to the RaspiVPN I configured recently?

To keep this on topic (and potentially helpful), if the OP either knows someone with some tech knowledge or wants some help, this is the route I decided to go:

http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/

Total cost was about $50 and I can access my network resources from anywhere in the world that I have an Internet connection.

There are a lot of ways to skin a cat as they say. Cisco support is pretty easy to find and for the most part, people who work on these have templatized configs. We just change the IPs and paste it onto the device. It doesn't take long. This is also something that could get configured and shipped or configured remotely pretty easily. Trying to do things too cheaply and ending up with something you can't find support for will cost you more money in the long run.
 
Y'know, I have a SonicWall TZ210 sitting around somewhere gathering dust, and (IIRC) SonicWall includes a VPN in its suite of awesomeness. Of course, setup is utterly beyond me.
 
You will want to request a public static address from your ISP (AT&T). Specifically, one that can be assigned to your own internal equipment (not their router/modem).
 
I would not expose a Windows system to the Internet. As suggested above, a router, openvpn on a raspberry pi, etc would be a better choice.

You will need to forward a port from your router (udp 1194 is common), but should forward it to a device that is designed to be internet facing.

In lieu of a static ip you can use a dynamic DNS address. Mine is through my registrar, joker.com.

I use teamviewer to assist relatives, within its limits its a good tool and a lot less trouble to setup than the above.

If you're just looking to have access to your files while traveling Dropbox is easy to use and facilitates file sharing between a desktop and laptop.


Sent from my iPhone using Tapatalk
 
Y'know, I have a SonicWall TZ210 sitting around somewhere gathering dust, and (IIRC) SonicWall includes a VPN in its suite of awesomeness. Of course, setup is utterly beyond me.

I have one of those in my lab at home, and the config is quite easy. I'd be happy to help if needed.
 
But if you want to... Just port forward 3389 on your router to your internal server ip. Better solution is throw teamviewer on it.. Free.

I did that and found that at certain points of the day, my mouse just moves all by itself! Of course, I have a blank password, a public facing website with the direct link to my computer (you know, for my convenience), and even my contact information and birth date (in case someone wants to wish me a happy birthday).

What am I doing wrong??!?
 
Y'know, I have a SonicWall TZ210 sitting around somewhere gathering dust, and (IIRC) SonicWall includes a VPN in its suite of awesomeness. Of course, setup is utterly beyond me.

I have one of those in my lab at home, and the config is quite easy. I'd be happy to help if needed.

Only thing on these I would worry about is there have been significant bugfixes/security fixes for SonicWall firewalls (just like any other firewall/device) over the years, and I would find someone who could download the firmware updates for the device at least, at best, you'd want to put a service contract on it through Dell so you could download the software. Since they were bought by Dell, they've been a PITA about needing a contract to get to the software.

I can also help with SonicWall stuff, but we kicked their butt to the curb and went to CheckPoint a couple of years ago...
 
I did that and found that at certain points of the day, my mouse just moves all by itself! Of course, I have a blank password, a public facing website with the direct link to my computer (you know, for my convenience), and even my contact information and birth date (in case someone wants to wish me a happy birthday).

What am I doing wrong??!?

Well for one you must have vnc running too, since a remote rdp session would leave your console session locked. You would never see the mouse move. Having the blank and password actually helps your paranoia since no rdp session can be established without a password. Time to adjust the tinfoil...
 
Well for one you must have vnc running too, since a remote rdp session would leave your console session locked. You would never see the mouse move. Having the blank and password actually helps your paranoia since no rdp session can be established without a password. Time to adjust the tinfoil...

I did install VNC, it looked like fun, though I do see my session is locked. Also (and I don't know how this happened) when I go to login I see many other accounts already logged into the computer.

Most names are h@3k3du or l33tn00b or some other type of letter and number combination..fascinating, are those computer services doing magical things while I sleep?
 
What exact functionality are you looking for? "remote into my server" covers a lot of territory. Remote control for administration? access to files? Database or accounting? File transfer?
 
I think he has dropped the previous idea.
Now he is saying I need to have ATT assign me a static ___ address vs the dynamic ____ address I have now. He is sounding more sure of himself.
Does this sound more righter?
He usually gets the job done even if he struggles a little. (I'm not about to fire him so restraint is requested, thank you.)
 
You do need a static IP address if you expect to connect to it from elsewhere easily. You may still also need access to their router to configure the firewall.

The typical home internet connection makes only outbound connections, so you get an address from a pool of addresses and it may or may not change periodically. Your internal network of machines all have "private" addresses and the carrier's modem/router masquerades all of those internal addresses out as that one single public changing address.

He's asking you to pay the carrier to lock that address down to a static address that doesn't change so you can always "find home" from outside of your network.

You'll still want your machines in internal private addresses and a firewall/router between them and the Internet.

You do NOT want to put a public address directly on any Windows product ever. Not one that has any data on it you care about.

This is where a "VPN" comes in. You connect to a router or system that does the reverse of the carrier's router. You connect to it and over your encrypted link to it, it hands your machine off-site one of those "private" network addresses and your remote machine thinks it's sitting there on the desk next to your other machines at "home". You can access whatever you like on the "private" network, until you disconnect the VPN tunnel. That way the only thing exposed to the Internet at large is the VPN router/system. Not your internal private machine.

He's suggesting you make the Windows server the VPN router. That's a very bad idea IMHO.

The Windows OS is not known for being as secure as most dedicated VPN devices, although many use it that way. They used to tend toward using outdated and insecure VPN methods (PPTP - Point to point tunneling protocol).

It's just generally considered bad form to put a device with your secured data directly on the Net. Too many script kiddies with too much time on their hands who've pre-written and shared security breaking code with the world long before you have time to patch things or sometimes even before the vendor (Microsoft) has had time to release a patch for the vulnerability.

Unless you're dedicated to allowing immediate patch updates (and usually reboots) of Windows including patches that break the real jobs the machine is supposed to be doing, you're bound to get hacked with it sitting on a public address. Make sure you have good backups of the whole thing and test them if you go that route. (You should have those anyway, but it ratchets up the need for them significantly to put it on a public address.)

Now. That's the RIGHT way to do it, but let's say you're broke and must put that Windows machine on the Net or port forward some ports to it...

There ARE ways to set up Microsoft RDP (Remote Desktop Protocol) to be relatively secure and that's the ONLY port number you would want to "expose" to the world. It's dependent on you staying up still on all the Microsoft patches religiously or automatically and you still don't want every port number exposed.

(What's a port number? Good question. Think of your IP address as being a phone number and ports as being the extension you wanted to call inside the building. IP address finds your house. Port number finds the program the remote computer wants to talk to. If you want to talk to the web server when you call, you ask for port 80. If SSL web server you ask for Port 443. All "well known" types of services have a standard port number assigned to them.)

I won't pick on him but I'll say this: You wouldn't hire someone to secure your home who "sounded more sure of himself" each time you talked to him, unless you had to do it on the cheeeeeeeap. And that's essentially what you're tasking him with... Setting you up a known secure way to access your machine from off site from a completely untrustworthy network of machines.

Make him show you how secure his solution is before he implements it. If he seems unsure, get a second opinion. Here or wherever. We've all been at that stage where we were learning this stuff and/or have had the joy of rebuilding a hacked machine from scratch knowing the data that was on it all could have been copied elsewhere. (Most script kiddies tend toward the malicious downing of public systems and not so much stealing data, but like I said, the code to break into things hits the wire sometimes months before a patch is released. Some people just want to slash your tires for fun. Others want to steal the car stereo. Others are looking for the cash or credit card you left in the car.)
 
But if you want to... Just port forward 3389 on your router to your internal server ip. Better solution is throw teamviewer on it.. Free.
Never expose this port. You will be hammered by Chinese all day/night until they get it. For one it's a known rdp port. You are better off specifying a high range random port number and forwarding it internally to 3389. They won't know it's rdp if you make the external port something like 55555

Sent from my SM-T810 using Tapatalk
 
I believe newer RDP servers will now also do RDP over SSL on port 443. It makes you authenticate over SSL before it lets you sign in to RDP. That would be better than just opening up 3389.
 
Take Spikes firewall and setup an SSL VPN to the firewall, not your server. It will be best if you get a static IP from AT&T.
 
He installed a sonicwall TZ300.
So, instead of analyzing his plan maybe we can analyze what has been done.
How can I be sure it is safe, you guys have me concerned now.
How do I know my server is not hanging out on the internet like ripe fruit?
How do I know I actually have a VPN? (dropping acronyms like I have a clue what they are)
 
Thanks for the detailed explanation, Nate. Digesting it now. Might take you up on the offer to test it for security.
 
The Sonicwall is pretty inherently "safe" since it's a firewall. Default settings would be to keep everything not explicitly allowed through it, out.

As far as whether or not he set up a VPN, if you go offsite, you'll have to launch a VPN client to connect to anything back at the home or office (I don't know which it is) where your server is. If you don't, all he did was port-forward and that's not the "best" way to do it, but at least means you didn't expose the entire Windows server to the Internet by giving it a public Internet IP address. If he went that route, he probably only opened the Windows RDP port. That's "reasonably" secure, but not perfect "best practices".

The "way to be sure it's safe" is either via review of the Sonicwall setup by someone who's "been there, done that" and/or authorizing someone to port scan the firewall from the outside to see what's exposed and what's not. Really large organizations will take that a step further and authorize full "penetration testing" or "pen test" from the outside, but you're not doing anything complex enough there to warrant it, since it's expensive and usually reserved for things that must be tested like that.

I wouldn't be able to give you exact screens to screen shot without firing up the old TZ 105 I have sitting here in a box, but I'd be happy to look over screenshots of the setup or do a quick port scan and tell you what he left "open" from the outside.

Probably best done via PM, and if it hits my inbox at the wrong time it might take a day or two to get back to you but I would. I'd need your DNS name or public side address and also your permission to do it. (Unlike the bad guys, I don't randomly port scan stuff without permission... Ha!)

If it's easier than PMs here to do in email, just toss me an address to send mine to and we'll get 'er done. It won't be some big in depth security review or anything, just a port scan and description of what I can "see" from here. You can also do this yourself with various tools, if you're more inclined to DIY it and share the results privately and I can tell ya what it means if that's more your thing. This level of help is pretty basic and not too hard for anyone who does this stuff regularly, I'm sure others here can assist also. Whether you want to post any info here in public is up to you.

Other than passwords or VPN keys which should never be posted in public, and maybe the internal address of the server, which isn't going to be hard for anyone who actually broke in or intended harm to figure out anyway, nothing about the public side setup needs to be "secret" anyway, since it's already out in public. So screenshots or the results of a port scan here aren't going to add any additional risk if you want the group to assist.

But, I always offer to do it in private if that makes someone feel better about it.
 
Wow, generous offer, Nate. Thanks.
Expect a PM in the next week.
WIth gratitude,
 
I.T. says call ATT to get the static IP address (actually, it is 8 minimum @ $15/mo) so that I can use it via the Firewall, and the modem must be in Bridge Mode. ATT throws some switches, voila; 24hrs later I get static IP addresses. It is not supposed to affect me in any way, when I walk into work with my iphone hoping to use the wifi.

I have only the barest clue what any of that means. Possibly, with a static IP address, when I am out of town my computer or the hotel computer can find my server. The Firewall is a safety feature. The modem is the Uverse box that connects the phone line to the firewall and broadcasts wifi.

I do not yet know if any of this is "VPN" or "RDP"'; perhaps Nate will help me with that later. Thanks.
 
I have only the barest clue what any of that means. Possibly, with a static IP address, when I am out of town my computer or the hotel computer can find my server. The Firewall is a safety feature. The modem is the Uverse box that connects the phone line to the firewall and broadcasts wifi.

A static IP is like your internet phone number. Until today, your phone number changed every couple of days. Didn't matter much if you make outbound calls, but is kind of inconvenient if you want to receive calls. Now, ATT has given you a fixed phone number.

I do not yet know if any of this is "VPN" or "RDP"'; perhaps Nate will help me with that later. Thanks.

Having a static IP is pretty much a prerequisite to use VPN or RDP to connect with your network remotely. To call someone, you got to know their phone number (there are some workarounds to that, but a static IP sure makes it a lot easier).
 
ok, thanks Weilke.
Sort of wondering why they did not give each box a designated (static) IP address to begin with.
Dave
 
Because there are only so many to go around, and unless you have a legitimate need for one (like having a VPN or mail server in-house), there's no need.
 
Because there are only so many to go around, and unless you have a legitimate need for one (like having a VPN or mail server in-house), there's no need.

Both of my ISPs are a bit knuckleheaded about this. I can't just get one static IP, the smallest pack is 5. So now, instead of 4 numbers (1 per ISP per site), I am blocking 20....
 
Because there are only so many to go around/QUOTE]

Hmm the discussion about the dynamic IP situation which used a variety of addresses each time you connected seemed like that was probably using a lot more addresses than you would if you just had one dedicated IP address. Thanks for educating me.
 
Back
Top