Tunnel traffic through RRAS server on same physical network and subnet

[Mike]

Hi all,

I have a PC that is running Windows XP and there are multiple user
environments present (similar to a terminal server) whereby there is the
console (sitting in front of the PC) and then individual user windows
sessions for other users attaching through lets say RDP(but not RDP).

In each windows session/environment there is a network application (similar
to telnet) that must attach to an application server(on a different but
nearby subnet). The application server only will accept connections from 1
IP address therefore the first user to launch the application connects and
the rest get denied. I need to make each session appear to be coming from a
different IP on this subnet.

My idea is to have each user create a PPTP/L2TP connection to a local RRAS
server on the subnet, thereby getting a unique IP address by which I want
the network application to use as it's source address when connecting to the
application server.

I tried this and I did obtain the IP address, however when I tried to
connect to the app server I found my source was still using the WinXP
systems IP address for example 10.0.0.3 (instead of 10.0.0.6 obtained
through DHCP in RRAS). I found this by using netstat -n -o.

Any ideas on how to get this to work either my way or another way?

Thanks,
Mike

 

[Phillip Windell]

To the question in the subject line,...No,...that is not going to happen. A
VPN Device is a type of "router",...routing requires different subnets on
each "side". And even if that was not true it is still going to show
comming from the Clients regular IP# anyway.

I have a PC that is running Windows XP and there are multiple user
environments present (similar to a terminal server) whereby there is the
console (sitting in front of the PC) and then individual user windows
sessions for other users attaching through lets say RDP(but not RDP).

So it is a Terminal Session,...it doesn't matter who makes it. It is the
same principle as the old systems with the "green screen" terminals of the
1970's and 1980's.

In each windows session/environment there is a network application
(similar to telnet) that must attach to an application server(on a
different but nearby subnet). The application server only will accept
connections from 1 IP address therefore the first user to launch the
application connects and the rest get denied. I need to make each session
appear to be coming from a different IP on this subnet.

What is a "Windows session/environment"? Please don't "make up" terms. We
have to "speak the same language" and then actually know what each other
means by it if we are to get anywhere.

You are either running a Telnet session directly from the PC,..or you are
running a Telnet session inside the Terminal Session. If it is run from the
PC then it will always be comming from the PC's IP#. But if it is a Telnet
session run from within a Terminal Session then it will always be comming
from the IP of the "terminal server".

My idea is to have each user create a PPTP/L2TP connection to a local RRAS
server on the subnet, thereby getting a unique IP address by which I want
the network application to use as it's source address when connecting to
the application server.

Not gonna happen.

I tried this and I did obtain the IP address, however when I tried to
connect to the app server I found my source was still using the WinXP
systems IP address for example 10.0.0.3 (instead of 10.0.0.6 obtained
through DHCP in RRAS). I found this by using netstat -n -o.

If you are Telneting to the Application and it shows the PC's IP#,..then
this is not running over a Terminal Session,...it could even be that the
Terminal Server thing is not truely even a Terminal Server as you thought it
was and therefore the Session is not a true Terminal Session as you thought
it was.

The real fix for this is for the people who wrote the Application to fix the
thing so it is not limited to a single Client IP. That is a rediculas
requirement and any programmer who wrote it that way either doesn't live in
the real world or doesn't know what they are doing.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[Mike]

Phillip, I don't think you understand and are probably not qualified to be
in this discussion. If you'd like to reply please limit your response to
helpful insight or questions that might help you further understand the
problem.

There is no option for changing the way this application server accepts
connections(welcome to the real world). It is a 3rd party solution that is
connected to on a private communication link. They will only accept 1
connection per IP address.

The Windows XP machine where I'm trying to get multiple connections to
originate from is not a terminal server from Microsoft, yet it is running
Terminal server software from Ncomputing.com. NComputing sells dumb
terminals. These terminals connect to the software installed on the WinXP
PC. Each terminal session gets it's own Windows desktop session independent
of the console and other sessions. Applications installed on the PC are
accessible to all users connected either through the console or dumb
terminal.

I need a way to make this application or all applications in a given
terminal session to originate traffic from a different IP address than the
XP PC. From one of these terminals I can create a PPTP connection to a
server on the same LAN to obtain a unique IP. Now I just need to force
traffic though the PPTP interface. Either that or a different solution.

Any positive advice is appreciated.

Thanks,
Mike

 

[Phillip Windell]

Phillip, I don't think you understand and are probably not qualified to be
in this discussion. If you'd like to reply please limit your response to
helpful insight or questions that might help you further understand the
problem.

After being involved with this stuff since the days of DOS and spending 8
years as an IT Manager at an NBC Affiate TV Station that has more
electronics, networking devices, and proprietary software than many IT
people have seen in thier entire life, and then 3 or 4 years as an MS MVP
for MS's Firewall Product, ISA Server, after it replaced the old MS
Proxy2,...I suspect I am qualified.

Possibly not understanding your situation? I'll give you that,..that is
certainly possible,...that's why I asked in the last post that you explain
things carefully with correct terminology,...all I have are words on the
screen to work with,...I cannot see what you are looking at for myself.

There is no option for changing the way this application server accepts
connections(welcome to the real world). It is a 3rd party solution that
is connected to on a private communication link. They will only accept 1
connection per IP address.

Non-sense, ...if it can be written,...it can be patched or replaced with a
newer version. Just ask MS, there are over 100 patch for XP-SP2 at this
point. Everything is 3rd party relative to someone else,...to Sun
Microsystems, Windows XP is a 3rd party product.

The Windows XP machine where I'm trying to get multiple connections to
originate from is not a terminal server from Microsoft, yet it is running
Terminal server software from Ncomputing.com.

Yes, that is exactly what I pictured and described.

NComputing sells dumb terminals. These terminals connect to the software
installed on the WinXP PC. Each terminal session gets it's own Windows
desktop session independent of the console and other sessions.
Applications installed on the PC are accessible to all users connected
either through the console or dumb terminal.

Yes, it is acting as a Terminal Server. "Terminal Server" is also a generic
term (a server remote controlled by terminals),...it doesn't have to mean an
MS product.

I need a way to make this application or all applications in a given
terminal session to originate traffic from a different IP address than the
XP PC.

Sorry it isn't going to happen.

From one of these terminals I can create a PPTP connection to a server on
the same LAN to obtain a unique IP. Now I just need to force traffic
though the PPTP interface.

You can't. The source IP# of the traffic is always going to be the Nic that
matches the subnet the target is on (if target server is the same subnet) or
will match the Nic with the Default Gateway. If the machine has multiple
Nics on the same subnet (which you aren't supposed to do) then the source
IP# will be the one of the Nic that is the highest priority in the binding
order. If you have a single nic with multiple IP#s then the source IP# will
always be the Primary IP# of the Nic.

Either that or a different solution.

Any positive advice is appreciated.

I'm sorry if you don't appreciate what I am telling you, but the truth may
not always be "positive".

You have two options, probably you won't like either,....one would cost the
developing company money,...the other would cost you money.

[The best choice]
1. The Applcation needs to be configured, patched, or re-written to be "IP
neutral" in how it handles connections. Correctly written applications
would identify the session by the Random Client Source Port and the IP# as a
combined pair,...not simply the IP# by itself. That is short sightedness of
the developers.

[not the best choice, but should work]
2. Use multiple XP machines with the Ncomputing software on each one and one
Ncomputing Terminal connecting to each one. Now you will have a differnet
IP# for each user. If you are short on Hardware for this you can make up
for a few by using Virtual PC with multiple Virtual Machines running on
them. The number of them is limited by the CPU and memory of the hardware.
A 2gig CPU with 2 Gig or RAM can probably easily run one copy of XP plus 3
or 4 copies in Virtual Machines. You still have to own all the XP copies
you use, but it does save on hardware.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

 

[Mike]

Phillip thank you for your detailed explanation and contribution.

I suspect the 3rd party does this partially for ease on their part and
partially for licensing. They charge per host and each host is setup in
their Unix systems' host file. Regardless they won't be changing the way
they operate.

I have tried running the Ncomputing software inside of a virtual PC already.
It does work, but it does so slowly. The Ncomputing software either takes
too much resources to run inside the VM or the PC doesn't have enough
resources. I'm thinking it's more of the first than the latter, because the
system is fairly new. Either way I have not found this to be a workable
solution.

I really thought the PPTP would work because the whole point of tunneling is
to force traffic through secure tunnel(even if it is on the LAN). I'd still
like to pursue this and was thinking maybe I can modify the route table of
the PC so it can only make it to the PPTP server on the LAN (via the
physical NIC maybe with a /30 mask), then when the PPTP session is
esablished it will route all other LAN traffic through there.

If that doesn't work something else should. I've thought about setting up a
proxy to try to change the source IP. If IP spoofing is possible, then this
should be as well. I understand it's complex, but I don't believe there is
no solution.

Any other suggestions are surely appreciated.

Thanks,
Mike


The 3rd party will never change the system. I suspect they have this setup

Phillip, I don't think you understand and are probably not qualified to
be in this discussion. If you'd like to reply please limit your response
to helpful insight or questions that might help you further understand
the problem.

After being involved with this stuff since the days of DOS and spending 8
years as an IT Manager at an NBC Affiate TV Station that has more
electronics, networking devices, and proprietary software than many IT
people have seen in thier entire life, and then 3 or 4 years as an MS MVP
for MS's Firewall Product, ISA Server, after it replaced the old MS
Proxy2,...I suspect I am qualified.

Possibly not understanding your situation? I'll give you that,..that is
certainly possible,...that's why I asked in the last post that you explain
things carefully with correct terminology,...all I have are words on the
screen to work with,...I cannot see what you are looking at for myself.

There is no option for changing the way this application server accepts
connections(welcome to the real world). It is a 3rd party solution that
is connected to on a private communication link. They will only accept 1
connection per IP address.

Non-sense, ...if it can be written,...it can be patched or replaced with a
newer version. Just ask MS, there are over 100 patch for XP-SP2 at this
point. Everything is 3rd party relative to someone else,...to Sun
Microsystems, Windows XP is a 3rd party product.

The Windows XP machine where I'm trying to get multiple connections to
originate from is not a terminal server from Microsoft, yet it is running
Terminal server software from Ncomputing.com.

Yes, that is exactly what I pictured and described.

NComputing sells dumb terminals. These terminals connect to the software
installed on the WinXP PC. Each terminal session gets it's own Windows
desktop session independent of the console and other sessions.
Applications installed on the PC are accessible to all users connected
either through the console or dumb terminal.

Yes, it is acting as a Terminal Server. "Terminal Server" is also a
generic term (a server remote controlled by terminals),...it doesn't have
to mean an MS product.

I need a way to make this application or all applications in a given
terminal session to originate traffic from a different IP address than
the XP PC.

Sorry it isn't going to happen.

From one of these terminals I can create a PPTP connection to a server on
the same LAN to obtain a unique IP. Now I just need to force traffic
though the PPTP interface.

You can't. The source IP# of the traffic is always going to be the Nic
that matches the subnet the target is on (if target server is the same
subnet) or will match the Nic with the Default Gateway. If the machine
has multiple Nics on the same subnet (which you aren't supposed to do)
then the source IP# will be the one of the Nic that is the highest
priority in the binding order. If you have a single nic with multiple IP#s
then the source IP# will always be the Primary IP# of the Nic.

Either that or a different solution.

Any positive advice is appreciated.

I'm sorry if you don't appreciate what I am telling you, but the truth may
not always be "positive".

You have two options, probably you won't like either,....one would cost
the developing company money,...the other would cost you money.

[The best choice]
1. The Applcation needs to be configured, patched, or re-written to be "IP
neutral" in how it handles connections. Correctly written applications
would identify the session by the Random Client Source Port and the IP# as
a combined pair,...not simply the IP# by itself. That is short
sightedness of the developers.

[not the best choice, but should work]
2. Use multiple XP machines with the Ncomputing software on each one and
one Ncomputing Terminal connecting to each one. Now you will have a
differnet IP# for each user. If you are short on Hardware for this you
can make up for a few by using Virtual PC with multiple Virtual Machines
running on them. The number of them is limited by the CPU and memory of
the hardware. A 2gig CPU with 2 Gig or RAM can probably easily run one
copy of XP plus 3 or 4 copies in Virtual Machines. You still have to own
all the XP copies you use, but it does save on hardware.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx

 

[Phillip Windell]

I have tried running the Ncomputing software inside of a virtual PC
already. It does work, but it does so slowly. The Ncomputing software
either takes too much resources to run inside the VM or the PC doesn't
have enough resources.

Did you install the Virtual Machine Additions on the Guest OS after it was
put into place? After the VMAs are installed the performace can jump up
drastically. Without the Virtual Machine Additions the performance is just
plain horrible no matter how good the hardware is.

I really thought the PPTP would work because the whole point of tunneling
is to force traffic through secure tunnel(even if it is on the LAN). I'd
still like to pursue this and was thinking maybe I can modify the route
table of the PC so it can only make it to the PPTP server on the LAN (via
the physical NIC maybe with a /30 mask), then when the PPTP session is
esablished it will route all other LAN traffic through there.

I just noticed this in your earlier post:
--------------------------------------------------

there is a network application (similar to telnet) that must attach to an
application server(on a different but nearby subnet).

--------------------------------------------------

Since the XP machine is a different subnet from the target server it would
appear that that there might be hope. Sorry, in the first posts I thought
it was all one subnet,...this was due to the message's subject line and when
you described the user receiving 10.0.0.6 with the VPN while the PC was
10.0.0.3,...those are the same subnet and won't work correctly,...so I
thought everything was running over a single subnet

In your first post you described this:
-----------------------------------------------------
My idea is to have each user create a PPTP/L2TP connection to a local RRAS
server on the subnet, thereby getting a unique IP address by which I want
the network application to use as it's source address when connecting to the
application server.

I tried this and I did obtain the IP address, however when I tried to
connect to the app server I found my source was still using the WinXP
systems IP address for example 10.0.0.3 (instead of 10.0.0.6 obtained
through DHCP in RRAS). I found this by using netstat -n -o.
--------------------------------------------------------

This failed because the user received an IP# from the same subnet (10.0.0.x)
that the PC was already a part of on its own. This creates the same effect
as having two nics in a machine from the same subnet and it would fail as I
described in earlier posts.

Here are two things to consider....

1. The item "Use gateway on remote network" in the user's VPN Connectiod
needs to be enabled.

2. The VPN box needs to be a duel nic box and must sit between the subnet of
the users and the subnet of the target server. It must have an interface on
each subnet with the "user side" of it being the side that accepts the
incomming VPN connection. The user then gets an IP# from the subnet of the
Target server and that should be the IP the connection appears to come from.

You still have the problem of the XP machine already having a valid path to
the target server which could cause it to follow that path and always use
the main IP of the PC. However, as long as the "Use gateway on remote
network" is enabled on the user's VPN Connectiod it may force it over the
established VPN connection

I'm not positive it will work correctly, but if it does, I think it will
have to be done along those lines. I still think the VPC method is easier
and cleaner apart from the expense of buying the additional copies of XP.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------