Help using session firewall option.

[mr.dk]

Hello,

While using 'firewall' setting in a 'session' the connection fails to connect.



Selecting a 'session' HostA..C session will login to the firewall and connect the session direct to the client.

Code:

[SecureCRT] --> [SSHD Jump] ------> ClientA
                              \---> ClientA
                              \---> ClientB
                              \---> ClientC

What has been successful:
Creating the SSHD Jump session:
[LOCAL] : SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
[LOCAL] : SEND[0]: Pty Request (rows: 70, cols: 175)
[LOCAL] : RECV[0]: pty request succeeded
[LOCAL] : SEND[0]: agent forwarding request
[LOCAL] : RECV[0]: agent request succeeded
[LOCAL] : SEND[0]: exec request: null -tenant username -host hostname
[LOCAL] : RECV[0]: exec request succeeded
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3


What has been unsuccessful:
From the above you can see the current firewall is directly connected to the end client session yet the client session does not reply.

It seems that sCRT is trying to be fancy.
- sCRT modifies the first firewall session
- Adding: [LOCAL] : FIREWALL : Starting port forward from 127.0.0.1 on local 127.0.0.1:59340 to remote sv-vpn:22
- Issue: [LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_CLOSED



This is highly complex in dealing with how the sessions are reused.
Is it possible to reuse the firewall port/session for the client/session communication?


Please do ask questions if i have been unclear, I would be happy to provide more details / logs ...

Thank you.
Derek

[jdev]

You described success as:

Quote:

[LOCAL] : SEND[0]: exec request: null -tenant dvanveen -host sv-vpn

... in other words, you're performing a remote-exec of command 'null', passing along information to that remote app which connects you to sv-vpn and hooks up stdin/out/err pipes for you.

This isn't yet something that can be done in SecureCRT with a firewall configuration.

I've created a feature request on your behalf for the ability to specify a proxy command (which involves remote exec, as you've explained in your "success").

In the mean time, you can get close to this by using a *copy* of your jump host session and set up the Remote command to connect to your end host as you've done with the rexec 'null -tenant dvanveen -host sv-vpn', instead of trying to use the jump host session as a Firewall.

--Jake

[mr.dk]

Hello,

Glad you understand, I'm on day 10 of sCRT use so I'm not expert yet

To clarify the " hooks up stdin/out/err " is done with ssh script @ client, tenant, and again a rsa key ...

For security reasons ssh' is not allowed on the server side, the script as you pointed out does the proxy and drops the session awaiting for the client session to continue ...

Thank you.
Dk

[mr.dk]

I may have been confusing you with, 'firewall' or 'tunneling' it seems the connection i'm after is more of a ssh proxy. (below is a working configuration from CentOS7)


Another use case for proxying connections:

PC ---> Proxy ---> Server
PC> ssh cloud@Server+


[root@CentOS7 .ssh]# cat config

Host *+
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
IdentityFile ~/.ssh/cloud_rsa
User cloud
ProxyCommand ssh proxy -- -tenant myself -host $(echo %h | sed -e 's?+virtual??g')

Host Proxy
Hostname proxy.hostname.com
StrictHostKeyChecking no
User jump
UserKnownHostsFile=/dev/null
IdentityFile ~/.ssh/jump_rsa

[jdev]

Quote:

Originally Posted by mr.dk

I may have been confusing you with, 'firewall' or 'tunneling' it seems the connection i'm after is more of a ssh proxy. (below is a working configuration from CentOS7)
...
ProxyCommand ssh proxy -- -tenant myself -host $(echo %h | sed -e 's?+virtual??g')

Support for connecting to a secondary host through a primary host through something like openssh's ProxyCommand is the feature request that has been added for you.

FYI.
--Jake

[Maureen]

Proxy Command has been implemented in SecureCRT 8.7 for Windows, which can be downloaded here:

https://www.vandyke.com/cgi-bin/rele...duct=securecrt

It can be configured in the Global Options dialog in the Firewall category.

Maureen