Servers - General
cancel
Showing results for 
Search instead for 
Did you mean: 

Secure WebConsole through firewall ?

 
Geetam
Frequent Advisor

Secure WebConsole through firewall ?

I can access my Webconsole(s) fine when I am on the LAN, but not when I dial-in and need to go through a firewall and proxy. Can you give me some ideas what I need to do (what nedds to be opened up on firewall, etc)
25 REPLIES 25
Ravi_8
Honored Contributor

Re: Secure WebConsole through firewall ?

hi,
since web console will be having it's own unique IP which will be different from u r network IP, so u can't access the WC when u r going thru proxy. Assign a IP address in u r network range to WC and u can access
never give up
Geetam
Frequent Advisor

Re: Secure WebConsole through firewall ?

Ravi

Thanks for the response, but the IP address is not the problem. I am accessing the webconsole fine when I am connected directly on the LAN, i.e, I have the correct IP address. The problem arises when I connect to the LAN via a dial-up connection, going through a firewall/proxy. I suspect the firewall/proxy are not letting some particular type of network traffic through. I am looking for what types of network traffic is required for Secure WebConsole.
Vincenzo Restuccia
Honored Contributor

Re: Secure WebConsole through firewall ?

In firewall open the port 80 in IP of WC.

Re: Secure WebConsole through firewall ?

I'm not sure what kind of firewall or proxy you have but as others have already said, you need to make sure that a)the firewall and proxy are configured to allow you access to the IP address, and b) the port is open. IF you have those 2 things setup ok, you'll be fine. Unfortunatly, things are not always that simple. For example, a proxy is normal a one way connection, so what side of the proxy are you on? Are you on the outside of the proxy trying to connect to the inside (which will complicate things) or the otherway around? If you are on ths inside of the proxy trying to connect to (what it thinks is) the outside, chances are you'll be ok there, providing you don't have any subnet issues. e.g: If your IP is 10.x.x.x and the WC is 172.x.x.x you might have trouble unless you have a router.

Sound complicated? If you provide a little more information like the kind of proxy server you have and the IP addresses you're using, etc.
Remember, usability is key to sucessful computing!
Geetam
Frequent Advisor

Re: Secure WebConsole through firewall ?


I am not sure what you mean with 'outside' and 'inside', I use the terms like this:
I am connecting from outside (at home, in the big wide world) to inside (company LAN, with HP9000/WebConsole). I can connect to NT servers and I can ping my HP9000s and WebConsoles. Routing and subnets should be set-up OK.

You are right about the proxy being one-way. My network administrator has confirmed that, when I am dialling in, I am not going through the proxy server, only the firewall.

Port 80 is open on the firewall. Are we sure only port 80 is required for Secure WebConsole?

Thanks
Vincenzo Restuccia
Honored Contributor

Re: Secure WebConsole through firewall ?

Yes,the connection physical is ok?
Ravi_8
Honored Contributor

Re: Secure WebConsole through firewall ?

hi, geetham
check in the firewall to what is the range of the IP's are allowed or is any specific IP's are allowed, if so make the entry of the system(IP) from which u r logging in.
because if u r using checkpoint-I firewall we can block the certain range or specific IP's.


later
ravi
never give up
Geetam
Frequent Advisor

Re: Secure WebConsole through firewall ?

Vincenzo,
Physical connection is OK, I can connect to NT servers on the LAN and I can ping my HP9000s and WebConsoles.

Ravi,
By the time I have logged in to the LAN, blocked IP address ranges are not in effect (according to our Network Admin)

I am puzzled, any other suggestions?
Thanks
Vincenzo Restuccia
Honored Contributor

Re: Secure WebConsole through firewall ?

Check routing table:
unix
#netstat -rn
NT
#route print
Ravi_8
Honored Contributor

Re: Secure WebConsole through firewall ?

hi,
if the routing doesn't exist do add to the routing table.
if u r system has static IP then add it in ur system itself or if u r in DHCP add in the unix system routing table.

can u login to the unix system? (forget the WC here)
later
ravi
never give up
Geetam
Frequent Advisor

Re: Secure WebConsole through firewall ?

Port 80 definitely open - I can browse intranet site (on NT server)

Vincenzo,
Routing definitly OK, I can ping HP9000 hosts and WebConsoles.

I can get further then that: I can connect to WebConsole with browser, I get login screen, I type username/password and click 'login'. Then I get a small box "login in progress". After a while a slightly bigger box: "the operation has failed due to a network error"

I think it is either some security mechanisme filtering my network traffic, or it could be a time-out...

Ravi,
No, I cannot login to my unix machines because the telnet port is filtered by security network equipment! That is why I am trying to get the WebConsole to work..., I normally prefer telnet.

Any idea's? (thanks for your persistence)
Vincenzo Restuccia
Honored Contributor

Re: Secure WebConsole through firewall ?

#telnet ip_webconsole 80
#telnet HP9000
Output?
Model HP9000 (N-class,L-class,???) ??
Jason Dinsdale
Frequent Advisor

Re: Secure WebConsole through firewall ?

Geetam,

Your not alone. I too have exactly the same problem in that:

1 - I'm accessing the web console from the internet via a firewall. The firewall has static NAT to xlate the private IP of the WC to a valid external IP address. Port 80 is open and the routing on the firewall had to be updated to facilitate access to the WC. I know this because I administer the firewall (FW-1 BTW).

2 - I can access the firewall just fine - I get the initial login screen, but I once I enter a username/password the dialog appears stating 'Login is in progress' - but then nothing.

My conclusion is that there must be traffic on other TCP ports that is/are being blocked.

Next week I check the firewall logs to see if anything has been logged on the firewall.

Jason
If a man talks in a forest and there is no woman to hear, is he still wrong?
Jason Dinsdale
Frequent Advisor

Re: Secure WebConsole through firewall ?

Apologies, I meant say that I can access the *Web Console* just fine via the firewall.
If a man talks in a forest and there is no woman to hear, is he still wrong?
Keir Josephson
Occasional Visitor

Re: Secure WebConsole through firewall ?

I've been experiencing exactly the same problem as well. I also checked the logs on the firewall and there are hits at port 1272, 1273, 1274, 1275, & 1276, however, they are accepted through fine. It still hangs on with the "login in progress" window.

If anyone from HP's webconsole team is reading this, what ports are the login class files accessing? The reason it appears to hang is because once the login signal is sent by the web browser there are no more data packets transmitted back from the web console. What does it need to get passed the login script?

NOTE: I don't think it's the IP range, because when I login to my local LAN RAS gear I get assigned a 209.x.x.x address and the web console has an internal 10.x.x.x address. This scenario works fine.

Jason Dinsdale
Frequent Advisor

Re: Secure WebConsole through firewall ?

Here's an update:

Not only does the web console use port 80, it also uses the telnet port (23) for the connection; apparently this is not an actual telnet connection an so it's not a security risk, but a potiential problem is that some firewalls meddle with the data stream by running a telnet proxy for firewall-based authentication etc, so even if you allowed port 23 traffic through it still might not work.

If you have the latest firmware A1.9 this port is set at 23, but in the latest beta revision (A1.10) allows you to change this to another port. Unfortunately, even though I've upgraded our web console with this beta firmware and set the port to 2100, it still doesnt seem to work.

I'll experiment some more and post more when I have some progress.

Jason
If a man talks in a forest and there is no woman to hear, is he still wrong?
Volker Borowski
Honored Contributor

Re: Secure WebConsole through firewall ?

Something to debug:

Create a regular session inside you LAN.
Connect / Disconnect / Work

All the time do a "netstst -n" in an endless loop on the machine that connects to the web-console and capture the output. Make sure all other network connections are disabled to ease debugging (mail, telnets ...)

Check the "netstat -n" output for uncommon ports, and try to permit them on the firewall.

If possible, debug on the firewall!
It should be able to give clear messages, what type of access is denied. Be aware, that most times one intends to debug only for tcp packets, but there might be udp/icmp packets be blocked as well.

Volker

Re: Secure WebConsole through firewall ?

We tested this "secure" webconsole and never "dared" to implement over the internet since it requires the telnetport 23 to be open.
Attended Interworks 2001 6 mai 2001 and learned from Juggy Krishnamurty, vp of Arula systems, that there exists a "ssl" version,
See www.arula.com for the details. Also learned: you can update the HP secure webconsole J3519A by downloading a new firmwareset. (no version givven )
Have not been able to locate it neither at ftp 192.151.11.37 nor at www.arula.com.
There is no HP secure webconsole support; this is done by Arula.
At 7 mai there were no HP plans to deliver the "SSL" version of webconsole. FYI
Jason Dinsdale
Frequent Advisor

Re: Secure WebConsole through firewall ?

Firmware news ... aparently this new firmware is going to be released real soon, and will have the designation A2.00 (not A1.10). It's just a shame that it doesn't fix the problem!

On that note, I still haven't got the WC to work through the firewall but I'm working on it.

Jason
If a man talks in a forest and there is no woman to hear, is he still wrong?
George Abraham_1
Regular Advisor

Re: Secure WebConsole through firewall ?

hai

I am also facing the same problem.. when i try to connect from outside the firewall the login comes then hangs there.. I cantacted HP they said it is related to firewall,, to see if any error log is there.. Ports to be opened are 23, 80 and 2023(for serial communication..

waiting for a solution
keep smiling
george
keep smiling
George Abraham_1
Regular Advisor

Re: Secure WebConsole through firewall ?

hai

I installed Netspace and a java console,,, in that i noticed one error.. does this make any sense to anyone?


---------------------------------------------------- Exception occurred during event dispatching: java.security.AccessControlException: access denied
(java.net.SocketPermission 10.1.1.76:23 connect,resolve) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkConnect(Unknown Source)
keep smiling

Re: Secure WebConsole through firewall ?

Geetam,

As some others have already mentioned there is an alternative product to the secure web console from Arula systems...

If you are coming from the 'dity' side of a firewall, I would *never* use a HP secure web console - these are very very easy to crack, as they *do not* encrypt the data stream, but merely scramble it - have a hunt around some of the security sites and you will find five line perl routines for unscrambling the data. Got to arula.com, and take a look at their SSL version (Dominion X1 I think its called)

I have used one of these arula products in the distant past... I seem to recall having to open up port 8080 and one other configurable port to get it working...

Cheers

Duncan

HTH

Duncan
benoit Bruckert
Honored Contributor

Re: Secure WebConsole through firewall ?

Hi,
I won't give you a solution, but may be the reason why it doesn't work :
When you connect to webconsole trough 80 , you open a non connected link to the web console.
Any terminal base application need a connected link, which means that http 80 cannot be used.
So, another port is used by the webconsole (I don't know wich one) which offer this connection.
The Webconsole is using a java applet, and this java program creates this connection (like a telnet in fact !).
So if you want to use it through fire wall, find the good tcp port and open it ! But may be you may have more than 1 port, I don't know ! And the server has also to send the answer (open the firewall on the other side !).

For security reasons, I would recommend you to used VPN,ssh, or something like that to access your servers. I'm not sure that webconsole is secured (I.E. crypted communication).

Hope it will help
Une application mal pansée aboutit à une usine à gaze (GHG)