RMacD.com

Introduction

This HOWTO explains the concept of bypassing Microsoft's ISA Server 2006 which provides a firewall service to many commercial networks around the world. I will focus on gaining access to a remote SSH server, through a network which does not typically allow for its use other than within the network itself. As a result, I'll tunnel the data through HTTPS (port 443), as outlined below.

After having set this up, we can go further and tunnel all data through our SSH server, though this can obviously be adapted to suit any given environment. This is outlined in links to further reading.

Prerequisites

• A server, preferably Debian based for the purposes of this How-to
• Access to an account on the restricted network
• Knowledge of the server's IP address and proxy port (usually 8080)
• PuTTY - a free SSH/terminal client - download at www.chiark.greenend.org.uk/~sgtatham/putty/download.html
• The Python interpreter - http://www.python.org/download/
• NTLMaps - http://ntlmaps.sourceforge.net/

Conditions specific to the testing environment

This experiment was carried out on ISA Server 2006, running on Windows Server 2003. ISA Server is essentially a proxy, which some fancy gimmicks like a useless firewall and user authentication.

Status quo, the environment did not allow any SSH access outwith the network, and would not allow for the firewall to be bypassed. This is as a result of the fact (AFAIK) that the server had two network cards, one for within the network and one for outwith. The firewall stood between them.

Incidentally, all internet traffic had also been routed through the proxy and so was being both monitored and restricted, based on ACL (Access Control Lists). As an appendix to this guide, I will outline the simple task of redirecting all internet traffic through the SSH connection.

Plan of Action

Since the ISA Server did not allow any encrypted sessions other than on port 443 (HTTPS), the only option was to send all traffic through this port to an SSH server at the other end. The first step was to set up an SSH server listening on port 443.

Secondly, passing SSH data from PuTTY through port 443 on ISA Server required authorisation in this instance. This was due to the fact that access through the proxy server was granted on a per-user basis. So NTLMaps (NTLM Authorisation Proxy Server) was used on the local computer to authorise the connection correctly, otherwise the connection would fail with "Error 407 Proxy Authentication Required."

Note that this is only required if PuTTY does not successfully authenticate without the "407 Proxy Authentication Required"

Through this simple plan of action, outlined above, SSH access was granted through the use of NTLMaps and an SSH server listening on port 443 on the opposite end.

Remote End

Set up the SSH Server, to use port 443.

Linux specific:

Change Port: 22 to Port: 443

# /etc/init.d/sshd restart

This should restart your ssh server to listen on port 443 instead of port 22. Remember that the ISA server cannot differentiate between SSH data and HTTPS (Secure HTTP).

Extra reading: Securing the SSH daemon with DenyHosts

Local End

Installation and Configuration of Python and NtlmAPS

Download Python from the link above (http://www.python.org/download/), and install onto the local system. Note that you do not require administrative priveleges to run the installer for python, if you're using Windows XP.

Also download the ntlmaps application, which is written to run under python.

Now configure the ntlmaps server with the settings of your local domain and proxy server, as well as your username and password for the domain if you require it. So open the file server.cfg in your ntlmaps installation:

Obviously, configure these values above to suit your environment. These are just a guide, and some more options may or may not be necessary depending on your setup.

Having completed this step, now run the Authorisation Proxy Server (ntlmaps) on the local workstation as below, or execute runserver.bat. It may be necessary to change the path to your python interpreter which you have installed, depending on its location.

Windows XP SP2: Once this is running on a restricted account, a message may appear that the Windows Firewall has blocked the server from accepting connections. Ignore this message, and do not click the 'OK' button; the Windows Firewall won't do anything to stop it from running properly until you click 'OK'.

PuTTY Configuration

PuTTY is a fantastically flexible little application that does for you most, if not all, you require for SSH connectivity. This solution will only use a very small number of the features available for use on PuTTY.

Initially, you will wish to specify the hostname of your SSH server at the remote end, or you can use its IP address, as well as the port you have used: in this case, port 443.

Afterwards, in the 'Proxy' page, under the 'Connection' category, specify the ntlmaps server. Its IP address will be 127.0.0.1, and its port 5865 (or whatever you specified in the ntlmaps configuration). The proxy type is HTTP.

Click 'Open' and you're done! SSH through ISA Server, though ntlmaps.

Issues with PuTTY and ntlmaps

Sometimes, the ISA server will disconnect the SSH connection running though the HTTPS port 443 after some time. To counteract this, specify to enable TCP keepalives at intervals of about 15 seconds to prevent this behaviour. This option can be found by clicking on the category header 'Connection' in PuTTY.