How to Securely Access a Server GUI from a Workstation
Novell Cool Solutions: Feature
By Simon Flood
Digg This -
Posted: 14 Jun 2007
I wanted to be able to securely access a server's graphic console (GUI) from a workstation rather than have to be physically located where the server was.
Yes, you can redirect the X Server screen but you then need a X Window System on your workstation.
Fortunately VNC has been ported to NetWare (and is available from Novell Forge) so you can use this to access all of your server screens, including the graphical console screen.
However all access is insecure which could prove a problem when used in a secure environment.
What I do is install VNC on my NetWare servers and then when I want to access a particular server I establish an SSH-encrypted tunnel and access VNC via that.
After installing VNC I also then use NetWare's FILTCFG.NLM to filter IP packets to block direct access to the insecure VNC ports.
- Download vncnw_bin_1_02_1a.zip from the Novell Forge's VNC for NetWare project page
- Unzip the downloaded file to the root of the SYS: volume of the server you're installing to taking care NOT to overwrite any newer files (some of the Java files installed with Support Packs may be newer than those downloaded with VNC for NetWare)
- At the server's console (will need to use RCONSOLE, FreeCon, etc.) LOAD VNCPASS and enter a password (maximum of 7 characters) to use for VNC sessions
- Start the VNC Server by LOAD VNCSRV (you might want to add this to AUTOEXEC.NCF so it gets loaded after each restart)
- At this stage check insecure VNC access works by using a VNC Viewer (I use RealVNC Viewer) to access the server (use IP address of server and port 5900)
- If OpenSSH is not already installed on your server (with NetWare 6.5 it can and should be installed from Products CD) then install it now
- Ensure OpenSSH is active - LOAD SSHD if not (you might want to add this to AUTOEXEC.NCF)
- Use an SSH client (I prefer PuTTY) to make an SSH connection to the server - at the same time create a secure tunnel between your workstation and the server
With PuTTY this can be done with the following command line (that can be saved as a shortcut)
drive:\directory\putty.exe -ssh server_name_or_IP_address -L
- You do NOT need to log in to the server via SSH (so do not need rights) - you just need the connection active
- You should now be able to use your VNC viewer to connect to the server via the secure tunnel by pointing it at localhost:5900
At this stage you should have secure VNC set up but insecure access will still work
- Edit SYS:/etc/builtins.cfg and add the following two lines (perhaps before IPX services are defined)
PROTOCOL-SERVICE IP, vnc-http, pid=TCP port=5800 srcport=<All>, VNC via HTTP
PROTOCOL-SERVICE IP, vnc, pid=TCP port=5900 srcport=<All>, VNC
- Whilst you're at it correct the following
PROTOCOL-SERVICE IP, pop3-st, pid=TCP port=110 srcport=<All>, Stateful POP3 Service
to add in stfilt=1 since it's listed as "stateful"!
PROTOCOL-SERVICE IP, pop3-st, pid=TCP port=110 srcport=<All> stfilt=1, Stateful POP3 Service
- Edit SYS:/etc/services and add the following following two lines (perhaps separately, in port number order)
vnc-http 5800/tcp # VNC via HTTP vnc 5900/tcp # VNC(you might
want to format them afterwards so columns line up)
- RESTART SERVER (unfortunately - edited services can be re-read by ws2_32 reload services but builtins.cfg can't!)
- LOAD INETCFG, navigate to Protocols | TCP/IP and change Filter Support to Enabled
- LOAD FILTCFG, navigate to Configure TCP/IP Filters | Packet Forwarding Filters and make sure Status is Enabled and Action is Deny Packets in Filter List
- Insert two new Filters where Source and Destination are both <All Interfaces>, one for vnc and the other for vnc-http
- REINITIALIZE SYSTEM
The server should now accept secure VNC connections via an SSH-encrypted tunnel but NOT insecure ones directly.
To access the graphical console screen your server needs to be NetWare 6.0 SP3 with Java 1.4.1 or higher or NetWare 6.5.
Additional software involved:
- VNC for NetWare (available from http://forge.novell.com/modules/xfmod/project/?vncnw)
- RealVNC Viewer (available from http://www.realvnc.com/)
- OpenSSH for NetWare (available from http://forge.novell.com/modules/xfmod/project/?openssh)
- PuTTY (available from http://www.chiark.greenend.org.uk/~sgtatham/putty/)
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com