Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Giving remote control access to few machines

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ashima LAYER 8
      last edited by

      Hello everyone,

      We have around 500 machines in the network. At times a remote session has to be provided to certain vendors to help troubleshoot a machine. We have a pfsense firewall (2.4.2) with squid (SSL Mode) and Squidguard. The remote control software are denied with squidguard. So teamviewer, anydisk, ammy admin like software don't work. But at times it becomes necessary to give remote access to the vendor. So I have thought of a solution. I would like to hear your input.

       Install a simple xubuntu desktop acting as UltraVNC Repeater behind firewall on a separate  port other than the LAN. Do a port forwarding in firewall to ubuntu server.  Allow the vendors to access the Ultra VNC viewer to access the Ultra VNC Repeater which will further redirect to UltraVNC Servers on LAN. 
      

      I would like to know any others pointers or suggestion. The vendors are not ready to install Openvpn client to do a VPn connection as they find it quite confusing. We tried but it doesn't work. ( For that we had to take remote on vendors pc and install OpenVPN client on that :)

      Any suggestion ?
      Regards,
      Ashima

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        @ashima said in Giving remote control access to few machines:

        The vendors are not ready to install Openvpn client to do a VPn connection as they find it quite confusing.

        😲

        1. Run OpenVPN Windows Installer.
        2. Run OpenVPN client
        3. Import config file
        4. Connect and supply username/password

        (* - On Linux/MacOS it's even easier since the client is preinstalled. You just need to import config.)

        If they are confused by this four-step process, they would have no business doing anything on my network. They would rather you introduce a security hole in your network due to their laziness or lack of knowledge. Not acceptable if they work for you.

        1 Reply Last reply Reply Quote 0
        • A
          ashima LAYER 8
          last edited by

          Thank you @KOM for quick response. We tried all that but these vendors are basically non IT people. They only know how to tune their software. There are few practical diffculties :

          1. The person doesn't have admin rights (OpenVPn needs administrative rights to be installed n run) on pc with which he does a VPN connection,
          2. The person n pc keep changing, so we keep getting repeated calls to help them connect.
            And it's not 1 vendor there are around 50 of them.
            So it isn't working with them. I myself use openVPn to connect from remote.

          So thought of putting xubuntu machine. ( Just to minimize the damage). Is there any other solution that can be implemented.

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • A
            ashima LAYER 8
            last edited by

            Just read OpenVPN 2.4.6 have the ability to run OpenVPN GUI without administrator privileges but we are stuck to OPenVPN 2.3 as most of the vendors are still using windows XP.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              Then you end up in a similar boat, where you have to instruct them on how to install & use VNC...

              If this is the only option, then at the very least you will need to craft your port-forward so that it only allows inbound connections from a trusted IP address or subnet.

              A 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @ashima
                last edited by NogBadTheBad

                @ashima

                1. The person doesn't have admin rights (OpenVPn needs administrative rights to be installed n run) on pc with which he does a VPN connection,
                1. The person n pc keep changing, so we keep getting repeated calls to help them connect.

                Why are 1 & 2 your issue you don't run the vendors support ?

                Document what they need to do and pass it on to the vendors IT support.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                johnpozJ 1 Reply Last reply Reply Quote 1
                • A
                  ashima LAYER 8 @KOM
                  last edited by

                  @kom said in Giving remote control access to few machines:

                  Then you end up in a similar boat, where you have to instruct them on how to install & use VNC...

                  If this is the only option, then at the very least you will need to craft your port-forward so that it only allows inbound connections from a trusted IP address or subnet.

                  These guys are quite familiar with VNC.

                  So what are the points I need to take care.

                  "Allowing inbound connections from trusted Ip' --- may not be always possible. Shall try.
                  Is there any other points that I can take care.

                  The reason for opting for xubuntu than windows machine is to make it more secure. Also it will be on separate subnet than the rest of the machines.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    @ashima said in Giving remote control access to few machines:

                    "Allowing inbound connections from trusted Ip' --- may not be always possible. Shall try.

                    I'm pretty sure it's possible if you insist "No access without knowing your IP address in advance."

                    The goal is to minimize the attack surface as much as possible. That means having the bare minimum services exposed to the public net, and whitelisting those addresses who want to get into your network. That's about all you can do.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @NogBadTheBad
                      last edited by johnpoz

                      @nogbadthebad said in Giving remote control access to few machines:

                      Document what they need to do and pass it on to the vendors IT support.

                      Exactly!!! They need to be able to connect securely to your network... Or they need to get their butts on site.. Its that freaking simple..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • A
                        ashima LAYER 8
                        last edited by

                        Thank you all for your responses.

                        I understand the risk in doing so... but the management is quite ignorant of these attacks. They just want the work to be done. (In fact ,the previous IT team had kept port 3389 open for rdp to their server. They were just lucky enough not to get any attack). It was a big task for me to convince them to put a pfsense firewall.

                        Anyway let me quickly summarize points :

                        1. Putting up a xubuntu machine which will act as a UltraVNC repeater proxy between UltraVNC Server n Client.

                        2. Xubuntu machine on a separate subnet than rest of the LAN.

                        3. Putting firewall rules such that communication between Xubuntu subnet and LAN subnet is only to specific vendor supplied machine and not rest of the machines on LAN.

                        4. Firewall rules to stop all communication to/from xubuntu machine during non office hours.

                        5. Restricting inbound connections from trusted ip.

                        6. Last but not the least changing the default VNC port.

                        Is there any thing else I can add....

                        Thank you.

                        johnpozJ 1 Reply Last reply Reply Quote 1
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @ashima
                          last edited by johnpoz

                          @ashima said in Giving remote control access to few machines:

                          They were just lucky enough not to get any attack

                          That you are aware of - your whole network could be compromised currently if someone guessed your top secret user account and password to rdp in.. Since it was for vendor support it was prob something stupid simple ;)

                          Restricting inbound connections from trusted ip.

                          This is a good idea for sure..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.