Cool Solutions

How to Securely Access a Server GUI from a Workstation



By:

June 14, 2007 12:40 pm

Reads:7,890

Comments:0

Score:Unrated

by Simon Flood

Problem:

I wanted to be able to securely access a server’s graphic console (GUI) from a workstation rather than have to be physically located where the server was.

Yes, you can redirect the X Server screen but you then need a X Window System on your workstation.

Fortunately VNC has been ported to NetWare (and is available from Novell Forge) so you can use this to access all of your server screens, including the graphical console screen.

However all access is insecure which could prove a problem when used in a secure environment.

Solution:

What I do is install VNC on my NetWare servers and then when I want to access a particular server I establish an SSH-encrypted tunnel and access VNC via that.

After installing VNC I also then use NetWare’s FILTCFG.NLM to filter IP packets to block direct access to the insecure VNC ports.

  1. Download vncnw_bin_1_02_1a.zip from the Novell Forge’s VNC for NetWare project page
  2. Unzip the downloaded file to the root of the SYS: volume of the server you’re installing to taking care NOT to overwrite any newer files (some of the Java files installed with Support Packs may be newer than those downloaded with VNC for NetWare)
  3. At the server’s console (will need to use RCONSOLE, FreeCon, etc.) LOAD VNCPASS and enter a password (maximum of 7 characters) to use for VNC sessions
  4. Start the VNC Server by LOAD VNCSRV (you might want to add this to AUTOEXEC.NCF so it gets loaded after each restart)
  5. At this stage check insecure VNC access works by using a VNC Viewer (I use RealVNC Viewer) to access the server (use IP address of server and port 5900)
  6. If OpenSSH is not already installed on your server (with NetWare 6.5 it can and should be installed from Products CD) then install it now
  7. Ensure OpenSSH is active – LOAD SSHD if not (you might want to add this to AUTOEXEC.NCF)
  8. Use an SSH client (I prefer PuTTY) to make an SSH connection to the server – at the same time create a secure tunnel between your workstation and the server

    With PuTTY this can be done with the following command line (that can be saved as a shortcut)

    drive:\directory\putty.exe -ssh server_name_or_IP_address -L
    5900:server_name_or_IP_address:5900

  9. You do NOT need to log in to the server via SSH (so do not need rights) – you just need the connection active
  10. You should now be able to use your VNC viewer to connect to the server via the secure tunnel by pointing it at localhost:5900

    At this stage you should have secure VNC set up but insecure access will still work

  11. Edit SYS:/etc/builtins.cfg and add the following two lines (perhaps before IPX services are defined)

    PROTOCOL-SERVICE IP, vnc-http, pid=TCP port=5800 srcport=<All>, VNC via HTTP
    PROTOCOL-SERVICE IP, vnc, pid=TCP port=5900 srcport=<All>, VNC

  12. Whilst you’re at it correct the following

    PROTOCOL-SERVICE IP, pop3-st, pid=TCP port=110 srcport=<All>, Stateful POP3 Service

    to add in stfilt=1 since it’s listed as “stateful”!

    PROTOCOL-SERVICE IP, pop3-st, pid=TCP port=110 srcport=<All> stfilt=1, Stateful POP3 Service

  13. Edit SYS:/etc/services and add the following following two lines (perhaps separately, in port number order)
    vnc-http          5800/tcp          # VNC via HTTP
    vnc               5900/tcp          # VNC

    (you might
    want to format them afterwards so columns line up)

  14. RESTART SERVER (unfortunately – edited services can be re-read by ws2_32 reload services but builtins.cfg can’t!)
  15. LOAD INETCFG, navigate to Protocols | TCP/IP and change Filter Support to Enabled
  16. LOAD FILTCFG, navigate to Configure TCP/IP Filters | Packet Forwarding Filters and make sure Status is Enabled and Action is Deny Packets in Filter List
  17. Insert two new Filters where Source and Destination are both <All Interfaces>, one for vnc and the other for vnc-http
  18. REINITIALIZE SYSTEM

The server should now accept secure VNC connections via an SSH-encrypted tunnel but NOT insecure ones directly.

Environment:

To access the graphical console screen your server needs to be NetWare 6.0 SP3 with Java 1.4.1 or higher or NetWare 6.5.

Additional software involved:

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading ... Loading ...

Categories: Uncategorized

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS