PDA

View Full Version : Accessing Slimserver through corporate firewall?



nicketynick
2007-03-07, 12:48
Hi,

I've managed to open the SS ports to the internet (9000), and with the help of a friend have confirmed that my SS is accessible remotely, but I can't access it at work, so I have come to the conclusion that the firewall must be blocking 9000.
Can anybody suggest ways around this?
I've seen in older threads the suggestion to change SS to run on a different port. Can anybody provide further details on how to do this, and what other implications there may be?
I'm running XP, and have looked at using OpenSSH for secure tunnelling, but the documentation indicates a fairly formidable task that offers far too many opportunities for screw-ups (put a puddle between me and the green, and that's where my ball will go!) Also, I need a method that I can install on the work machine, with no admin rights. I can't even install SoftSqueeze, since I can't update the Java!
Any suggestions, or questions to clarify my situation and hoped-for outcome appreciated!

Nikhil
2007-03-07, 13:00
what about port 3483? you need that open as well on TCP as well as UDP.

nicketynick
2007-03-07, 13:06
I've done that as well, and I'm pretty sure everything is working, since my server is accessible over the internet, just I can't reach it from work! ie. via http://my.ip.xx.xx:9000
What does 3483 do anyway? Some sort of a control function?
Thanks for the input, any other ideas?

JJZolx
2007-03-07, 14:38
Hi,

I've managed to open the SS ports to the internet (9000), and with the help of a friend have confirmed that my SS is accessible remotely, but I can't access it at work, so I have come to the conclusion that the firewall must be blocking 9000.
Can anybody suggest ways around this?
I've seen in older threads the suggestion to change SS to run on a different port. Can anybody provide further details on how to do this, and what other implications there may be?


The simplest thing to do would be to either map port 80 (the standard HTTP web port) at your home router to your internal SlimServer's port 9000 or else just run SlimServer on port 80. To run on port 80 you'll need to shut down SlimServer and edit the pref file ("httpport: 80") since the server settings web interface rejects port 80. Not all home router/firewalls will let you map an external port, but if yours does then it may be easier than messing with SlimServer itself.

No real implications in changing the SlimServer HTTP port that I've run into other than maybe SlimTray will no longer bring up the SlimServer web interface. But you'll no longer have to use :9000 in SlimServer URLs.


I'm running XP, and have looked at using OpenSSH for secure tunnelling, but the documentation indicates a fairly formidable task that offers far too many opportunities for screw-ups (put a puddle between me and the green, and that's where my ball will go!) Also, I need a method that I can install on the work machine, with no admin rights. I can't even install SoftSqueeze, since I can't update the Java!
Any suggestions, or questions to clarify my situation and hoped-for outcome appreciated!

If you can open the firewall/router at home to only your work IP address then you don't need SSH. There's nothing the least bit sensitive in the web interface or music stream, so you don't need encryption.

If you only open the HTTP (web) port, then you won't be able to use SoftSqueeze at work, but you can use a client like Winamp by connecting to

http://your_home_ip_address/stream.mp3

and you'll be able to play and queue music using the web interface.

If you need to use SoftSqueeze then you'll need to open up another port. Like port 9000, your company firewall likely will be blocking outgoing connections on the standard port 3483. You'll either need to change or map an external port to this one as well. I'd use something like port 443 (the standard HTTPS port) to get through your work firewall.

I'd research your company's Internet usage policy. If they've got things locked down to only permit a very restrictive number of outgoing ports, they may also have a very tight usage policy. Are you or your coworkers permitted, for instance, to listen to streamed Internet radio? This is essentially the same thing. A system admin will have little trouble finding out who's using a constant chunk of bandwidth if you listen constantly during the day. They may not like that.

nicketynick
2007-03-08, 07:38
Thanks for the response JJZolx.
I'll have a look at the .pref file as soon as I'm able, and see if I can suss out what I need to do. Am a editing a current line, or adding a line?
I've been watching my work ip for a few days now, and it looks to be constant, so I should be able to whitelist it easily enough to control access.
I'm not going to be able to use Softsqueeze, as much as I would like to, since I can't do the Java upgrade on my machine (no admin rights).
We are permitted internet radio access, so I'm not too worried about policy issues. I probably will try to figure out how to limit the bitrate to 128 kbps just to keep things simple.
Thanks again, and I'll come back to let folks know if this has worked out for me!

FreeMan
2007-03-08, 07:57
What's the best way to confim whether the corporate firewall is allowing connections out on port 3483? I've opened that on my home router, but can't get softsqueeze to respond.

I can connect just fine with Win Media Player, but I'd like a nicer interface and can't just install software willy-nilly at work.

Thanks!
bds

EDIT: Oh yes, I've checked the corporate policy, and streaming music is explicitly allowed!!!

nicketynick
2007-03-08, 08:34
Unless I'm totally missing something, if you can't install SoftSqueeze directly on your machine at work, you won't be able to run it over the internet either, because it requires a Java update. I think if you already have the Java installed, Softsqueeze itself should install fine (at least the applet).
Am I missing something? I'd love to be able to use SoftSqueeze if I could.

FreeMan
2007-03-08, 08:46
nicketynick- We've got Java installed, so I'm able to run SoftSqueeze no problem. I just can't get it to connect to home.

I've posted in the 3rd party plugins forum (http://forums.slimdevices.com/showthread.php?t=33395), but haven't gotten any interest in a reply there. Do you have some thoughts on that topic?

Thanks!
FreeMan

snarlydwarf
2007-03-08, 09:10
What's the best way to confim whether the corporate firewall is allowing connections out on port 3483? I've opened that on my home router, but can't get softsqueeze to respond.

Open up a "Command Prompt" or whatever Windows calls it these days, then type "telnet x.x.x.x 3483" where x.x.x.x is your IP number at home.

If it says "connected to.." then that port most likely works. If it just sits there trying to connect, then for sure it is blocked.

FreeMan
2007-03-08, 09:21
Thanks for the reminder, snarlydwarf. I knew that, but I'd forgotten.

I'm getting:
Connecting to x.x.x.x:3483...Could not open connection to the host, on port 23: Connect failed

What's with port 23? I specified 3483. I've done this before (telnet, that is), but it's been so long, I just don't remember.

Thanks!
FreeMan

snarlydwarf
2007-03-08, 09:35
No colon. A space before the port number.

FreeMan
2007-03-08, 09:49
Oh good grief! <:-|

OK, corp's blocking 3483. Any recommendations of commonly open ports? Last place I worked had 5900-5902 open for VNC. Of course, 80's open. Maybe I'll try 443. Will using either of these effect web browsing from the work or home machines?

TIA!
FreeMan

EDIT: OK, now I can't telnet to port 9000 on my home machine, either.

C:\Documents and Settings\u7x1069\Desktop>telnet 74.133.x.x 9000
Connecting To 74.133.x.x...Could not open connection to the host, on port 9000: Connect failed

yet, I'm streaming via Win Media Player on port 9000 right now. Has corp filtered telnet packets?

Robin Bowes
2007-03-08, 10:23
FreeMan wrote:
> Oh good grief! <:-|
>
> OK, corp's blocking 3483. Any recommendations of commonly open ports?
> Last place I worked had 5900-5902 open for VNC. Of course, 80's open.
> Maybe I'll try 443. Will using either of these effect web browsing
> from the work or home machines?

Your best bet is to set up an ssh tunnel and access all ports over that.

R.

FreeMan
2007-03-08, 10:45
SSH tunnel. Got it.

Guess I won't be getting this working until I get home tonight. :(

Thanks all for the help.

Anyone have any suggestions for the skin issue I mentioned in the other post? ( http://forums.slimdevices.com/showthread.php?t=33395 )

nicketynick
2007-03-08, 10:52
Hi Robin,
Can you recommend a SSH tunnel set-up for XP with a low RPN (Risk Priority Number), ie. just about idiot-proof? I've looked at the documentation for OpenSSH, and it looks like a high RPN to me! Would anybody else care to comment on their experience?

Thanks.

FreeMan
2007-03-08, 11:14
nicketynick-

Try this: http://xopey-voice.blogspot.com/ "Surfin Over the Wall" post.

It's a link to a blog a former co-worker put together. It only took me an hour or two to get things up and running. He links to another article, and that's the one I used as my primary reference.

Of course, I had this going *before* I had to rebuild the machine with XP Pro instead of Home, so no more tunnel right now.

nicketynick
2007-03-08, 11:27
Funny, I was reading http://www.buzzsurf.com/surfatwork/ just now...... but I think the one you've provided is a little clearer and concise. Thanks!

FreeMan
2007-03-08, 11:35
Glad I could help, instead of just asking.

Robin Bowes
2007-03-08, 12:33
nicketynick wrote:
> Hi Robin,
> Can you recommend a SSH tunnel set-up for XP with a low RPN (Risk
> Priority Number), ie. just about idiot-proof? I've looked at the
> documentation for OpenSSH, and it looks like a high RPN to me! Would
> anybody else care to comment on their experience?

Basically, you need an ssh server for Windows. You can buy commercial
packages, or use cygwin/openssh.

I'm afraid I have little recent experience of Windows as a server so I'm
not in any position to recommend any particular solution. However, I
have used cygwin with openssh in the past successfully.

R.

nicketynick
2007-03-08, 12:52
Maybe its time for me to pull out the box with Ubuntu Dapper on it and get Slimserver going on it.... looks like it will be better suited to OpenSSH. I think I should go get another USB drive though, so I can keep the windows server running until its working right......

Murph
2007-03-08, 14:11
There are all kinds of shareware apps for 'testing the security' of your firewall at work. You are looking for a "port scanner". There are also multi tool programs that scan ports and do many other thing s to 'test security' all in one package. Careful with these, your firewall might pick up on the activity of some of these tools and log you. If you run it from an internal IP (from your within your work network) it would be pretty easy for them to figure out it is you. For the port scanner to work, you will need to run it from outside your network anyway. It's passive and can't do any harm but is not generally appreciated but network admins.

Quotes around 'testing' added because certainly they could not be used by Hackers as long as the .txt files says they are for testing purposes only.

However, what I really wanted to say was....Be careful. Depending on who you work for, intentionally bypassing firewall security for whatever reason can get to a nasty speech from your boss or even fired depending on policy.

nicketynick
2007-03-08, 14:26
Geez whiz, I just searched 'port scanner' at sourceforge.net, and came up with way too many results. Anybody have any recommendations to start with?

JJZolx
2007-03-08, 15:07
Geez whiz, I just searched 'port scanner' at sourceforge.net, and came up with way too many results. Anybody have any recommendations to start with?

You're going to port scan your office firewall from your office PC? You better update your resume.

nicketynick
2007-03-08, 15:39
No, I was thinking I would do it from outside.....
But thanks for your concern :-) I'm a total novice at this stuff, so I'm just feeling my way around - advice is always appreciated!
I always keep it updated anyway - too many interesting opportunities in the big wide world!

peter
2007-03-09, 05:12
nicketynick wrote:
> No, I was thinking I would do it from outside.....
> But thanks for your concern :-) I'm a total novice at this stuff, so
> I'm just feeling my way around - advice is always appreciated!
> I always keep it updated anyway - too many interesting opportunities in
> the big wide world!
>

No, you'd have to scan it from the inside. You're looking for a way out,
not in. Either way could get you into trouble.

Seeing that you're a novice, perhaps you'd best steer clear or ask the
IT department for help (they allow streaming audio, so why not open up
the SB ports)?

Regards,
Peter

nicketynick
2007-03-09, 06:23
Unfortunately, it's difficult to get help with a real IT problem that hinders my ability to do my job - I won't get any help with anything remotely extra-curricular! I think I'll just skip the scanning part, and just try putting the Slimserver on a different port by trial & error. I'll start with 22 & 443, I think.

peter
2007-03-09, 08:45
nicketynick wrote:
> Unfortunately, it's difficult to get help with a real IT problem that
> hinders my ability to do my job - I won't get any help with anything
> remotely extra-curricular! I think I'll just skip the scanning part,
> and just try putting the Slimserver on a different port by trial &
> error. I'll start with 22 & 443, I think.
>

I have a better idea. My mail provider has a server that listens to ALL
port numbers (even 0).

Try, from behind your office desk, telneting to some ports:

telnet pop.proxy.fastmail.fm 22
telnet pop.proxy.fastmail.fm 443

If your employer allows outgoing traffic to that port, you'll see:

+OK POP3 ready

Otherwise don't bother with changing slimserver's ports. It won't work.

Regards,
Peter

peter
2007-03-09, 09:19
nicketynick wrote:
> Absolutely brilliant Peter! Both 22 & 443 are available, I
> double-checked 9000 - no connection. Took me a minute to figure out how
> to terminate connections though - turns out 'quit' works!
> So I think I have a way forward now.....
>

Or ^[

Good luck.

Some more ports to try (just the tcp ones):

http://iptables-tutorial.frozentux.net/other/services.txt

Regards,
Peter

nicketynick
2007-03-09, 09:23
Absolutely brilliant Peter! Both 22 & 443 are available, I double-checked 9000 - no connection. Took me a minute to figure out how to terminate connections though - turns out 'quit' works!
So I think I have a way forward now.....

Murph
2007-03-09, 11:27
not sure how you figure that running a port scanner is more likely to get you fired than manually testing the same thing one port at a time.

Not likely either will get you fired, I would hope. It's totally passive. The more 'intense' scanners also look for any software or possible exploits on any open port that could be used for unfriendly purposes. It's a little harder to explain to your IT Security folk why your running something like this on your network.

Also, If you port scan from the outside and you can get in on a port, you can be almost 100% sure you will also get out on it. However, when you scan from the inside, you might find a way out but depending how the packets get wrapped up, your application might still need a swinging door back in and sometimes a firewall blocks incoming only. If it gets treated as a return packet from an internal request, it won't matter much and it will be allowed back in. Some server apps on the outside though need to be able to establish a session from thier end. IN this case, your firewall has to let 'strange' packets in on that port.


Sorry, I got wrapped up in the argument but that doesn't help you at all. Sounds like you are ready to roll anyways.

Some places even frown against streaming audio as it chews up bandwidth when half the staff are listening to news or music all day. Many places have a policy but few actually enforce it when it comes down to it. However, you know much better than we do what your particular comany will let you get away with.

To answer your question, although you don't need it anymore, I usually recommend "Advanced Port Scanner" to network newbs who just want to find a free port to make something work. It's not near as advanced as it says but it's easy to use and describes some of the more common port uses which helps you to understand what else is going on on a given port.

For instance, someone mentioned just map your server to use port 80 because it's used for web and it's always open. However, your PC is already being slowed down when you browse the web but do you also want your SW server and client to have to deal with all your web traffic directly pumped into it too?

Again, Sorry, way too much information.

Irregardless, you know better than us what you can get away with.

peter
2007-03-09, 11:46
Murph wrote:
> not sure how you figure that running a port scanner is more likely to
> get you fired than manually testing the same thing one port at a time.
>

You have a point. In this case trying two ports won't cause problems.
But running nmap against your own IP might wake up some intrusion
detection stuff and get you into trouble

Blocking outgoing ports is completely useless anyway IMHO (I make an
exception for 25). Bad stuff could be running on any port and most of
the bad stuff on the 'net is behin d port 80 which is passed on anyway.

The magic word port scanner has a much higher probability of getting you
into trouble than a few simple telnet commands.

> Not likely either will get you fired, I would hope. It's totally
> passive. The more 'intense' scanners also look for any software or
> possible exploits on any open port that could be used for unfriendly
> purposes. It's a little harder to explain to your IT Security folk why
> your running something like this on your network.
>

I wouldn't count on it. Installing any port scanner on you work system
would be not be looked upon favourably in most companies and in most
professions.

> Also, If you port scan from the outside and you can get in on a port,
> you can be almost 100% sure you will also get out on it. However, when
> you scan from the inside, you might find a way out but depending how the
> packets get wrapped up, your application might still need a swinging
> door back in and sometimes a firewall blocks incoming only. If it gets
> treated as a return packet from an internal request, it won't matter
> much and it will be allowed back in. Some server apps on the outside
> though need to be able to establish a session from thier end. IN this
> case, your firewall has to let 'strange' packets in on that port.
>

In modern office environments no tcp ports are open to incoming traffic
on the office LAN.

If outgoing traffic is allowed the returning packets are allowed too
(established connections). Otherwise you can't even set up a tcp
connection, the setup handshake requires two way traffic.

>
> Sorry, I got wrapped up in the argument but that doesn't help you at
> all. Sounds like you are ready to roll anyways.
>
> Some places even frown against streaming audio as it chews up bandwidth
> when half the staff are listening to news or music all day. Many places
> have a policy but few actually enforce it when it comes down to it.
> However, you know much better than we do what your particular comany
> will let you get away with.
>
> To answer your question, although you don't need it anymore, I usually
> recommend "Advanced Port Scanner" to network newbs who just want to
> find a free port to make something work. It's not near as advanced as
> it says but it's easy to use and describes some of the more common port
> uses which helps you to understand what else is going on on a given
> port.
>
> For instance, someone mentioned just map your server to use port 80
> because it's used for web and it's always open. However, your PC is
> already being slowed down when you browse the web but do you also want
> your SW server and client to have to deal with all your web traffic
> directly pumped into it too?
>

Huh? What are you saying here?

Regards,
Peter

JJZolx
2007-03-09, 11:50
Also, If you port scan from the outside and you can get in on a port, you can be almost 100% sure you will also get out on it.

How do you figure? My guess would be the typical corporate network may have port 25 incoming open to a company mail/SMTP server, yet users would be required to relay through the local SMTP server, so couldn't connect on port 25 to an outside server.


For instance, someone mentioned just map your server to use port 80 because it's used for web and it's always open. However, your PC is already being slowed down when you browse the web but do you also want your SW server and client to have to deal with all your web traffic directly pumped into it too?

Huh? Outgoing HTTP connections are made from a random high port on the PC to an outside port 80. SlimServer wouldn't be involved.