Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Untangler
    Join Date
    Jan 2011
    Posts
    33

    Default FEATURE REQUEST: DSN Lookup for Remote Administration

    I just put in my first Untangle machine and am very, very pleased with it.

    One thing that I had in place on my previous, customized, Linux AV/AntiSpam gateway was that it was only able to be connected to from a list of IPs/Hosts. The hosts is the important part, as I like to be able to get to things via my laptop (which is constantly on different networks) and from home (which changes IP addresses on occasion as ISP renews DHCP).

    What I had done was to assign DDNS hostnames to my home network and to my laptop. That way, if I were somewhere remote, I could still get into my Linux box because it would resolve my DDNS host name.

    Could something similar be put into Untangle? Right now I see that it has the ability to limit remote admin to IP addresses, but for many people who do IT work and move around a lot to different locations, that's an impossible situation.

    What think you?

    Joe

  2. #2
    Untangler AngelKnight's Avatar
    Join Date
    Sep 2009
    Location
    NY State
    Posts
    76

    Default

    You could set up a VPN and then administrate the box once connected that way. Advantage is that it can be administered from anywhere and it's a secure connection. Just a thought.

  3. #3
    Untangler
    Join Date
    Jan 2011
    Posts
    33

    Default

    It's a great thought too!

    When I set up a VPN connection, I get a 172.x.x.x IP assigned. Any idea what the URL would be to get to the Untangle box via the VPN connection?

    Joe

  4. #4
    Master Untangler
    Join Date
    Mar 2008
    Posts
    196

    Default

    Once you are connected to the VPN you should be able to access it the same way you do when you are on the LAN.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    If you don't have DNS setup, the url is the IP address of Untangle.

    If you do, use the DNS name.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler
    Join Date
    Jan 2011
    Posts
    33

    Default

    I think we may be talking at cross purposes here.

    My Untangle box ONLY has a public IP address, since it's in bridged mode.

    I do have DNS setup for it, but that DNS is also for the public address.

    So are you guys saying that if I connect via OPENVPN to the Untangle box and get a private IP, that I could, from that IP connect to the Untangle box by going to its DNS hostname (https://url) and get into it even when external admin is turned off?

    Just want to make sure I understand before moving forth.

    Joe

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    You will need to enable External administration.

    BTW, putting an Untangle bridge on a publicly routeable address is a bad idea for many reasons. You're just getting started with the nightmare of attempting to secure it from unauthorized access. Heaven help you if you've enabled SSH.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangler
    Join Date
    Jan 2011
    Posts
    33

    Default

    I've not yet enabled SSH.

    Working in drop in mode, I don't see how I could use this NOT in a public IP attachment.

    But, all this is why I wondered why we couldn't have access restricted to both certain IPs and/or certain Host addresses. That way it would be on the public side, but MUCH more secure while still having some flexibility.

    Joe

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    Remote Administration has an IP filter you can use to control access. DNS names are often poisoned, and inaccurate.

    Furthermore, Untangle can't verify them. What you client uses as name to resolve the Untangle's IP address is completely irrelevant, that information is never transmitted to the Untangle server for any filtering to be possible. Well I guess the host header in the http request has some of it, but that's another topic.

    So you want a pass list based on the rDNS name associated with a given Internet IP? Those names are even easier to spoof...

    No, if you need secure access from random places on the Internet. You've landed squarely in the realm of VPN. However, Untangle's design is meant to have it either be the edge router, or be placed behind the edge router. If you've put it out in front...

    1.) You've neutered the attack blocker
    2.) You've destroyed your reports

    In short, you've put Untangle in a position where it cannot tell who is who on your LAN, all it sees is the NAT device. The only way it can separate "internal" and "external" access is based on what interface saw the traffic first.

    So I'm left scratching my head as to how to successfully add VPN to that configuration.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangler
    Join Date
    Jan 2011
    Posts
    33

    Default

    Yeah, the way it's set up, it can't do anything internal except see that packets come from the SBS2003 server. I set it up this way based on advice given here:
    http://forums.untangle.com/networkin...tml#post130383

    Joe

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2