appear to come from an IP
-
@dashrender said in appear to come from an IP:
The vendor hasn't supplied a reason they IP lock - but I can really only imagine it's more about security than anything else
No, IT does that for security. Dev does that for licensing. They are Devs, you are IT. Any IP lock from the app is always for licensing reasons.
-
@dashrender said in appear to come from an IP:
and I say this because they will add additional IPs at a whim (well, at least one vendor will).
Sure, that's normal. FOrces you to talk to them and expose that your IPs are changing.
-
@dashrender said in appear to come from an IP:
Once when we asked to add an additional IP the vendor did say - now you know, you can't use this software to dispense at another location under this license? Which we knew - we wanted remote access for reports.
Yup, gives them a chance to enforce your knowledge of a potential violation.
-
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Once when we asked to add an additional IP the vendor did say - now you know, you can't use this software to dispense at another location under this license? Which we knew - we wanted remote access for reports.
Yup, gives them a chance to enforce your knowledge of a potential violation.
I also think it's a licensing thing, with a bit of security sprinkled on top.
Each client location would normally have a different static IP so it's easy to keep track of them. And with IP whitelisting you get some DDOS protection.
IP whitelisting is normally on IP, not FQDNs, to avoid a DNS lookup for every access and to avoid DNS spoofing. When you do use FQDN in a firewall, it's actually still static IPs but the IP list is usually updated when the DNS entry expires or on a fixed schedule, like every 5 minutes or something.
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
-
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender Where does the IP whitelisting happen and how do the users connect?
Is it a SaaS provider or a hosted solution of some kind that is doing the whitelisting?
Are we talking about one IP or a subnet or just that it has to one or several static IP ranges?
This is a SaaS solution. They are the ones who manage the whitelist.
The level one techs are claiming that their system will only accept IP addresses, not hosts in the whitelist. Of course we've all seen systems like that - 20 years ago. And as I just got done telling Scott - RX vendors rarely update their solutions - and unrelated vendor is actively deploying a version of xming from 2006, even though there is active development in 2022.I now believe that they lock down to IP because the rest of their security is so bad.
If it's web based I'd look at using an outgoing http proxy. This is a forward proxy, not a reverse proxy as you commonly see in front of websites.
Mobile users traffic that is going to the SaaS solution goes through the proxy first, everything else goes the directly as normal. You just need to change proxy settings on the mobile users to get this up and running, nothing to install.
You can host the proxy yourself or use a service. IMHO it would be better if it's located outside your LAN to avoid using up valuable bandwidth.
You'll whitelist the IP of the proxy since all your mobile users will appear to have that IP.
-
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed? -
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
-
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
-
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
-
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations? -
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
-
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
-
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.
I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.
-
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.
I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.
yeah - I have no real idea how to make your suggestion work.
I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.
-
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.
I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.
yeah - I have no real idea how to make your suggestion work.
I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.
Since proxies are in heavy use in enterprise environments, all browsers and OSes have good support for setting up proxies.
If we're talking windows I think the normal way is to use GPO to push out setting. Usually there is a proxy auto configuration (pac) url/file that contains the settings and the client is told to look for that.
You could do it manually as well of course.
-
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.
I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.
yeah - I have no real idea how to make your suggestion work.
I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.
Since proxies are in heavy use in enterprise environments, all browsers and OSes have good support for setting up proxies.
If we're talking windows I think the normal way is to use GPO to push out setting. Usually there is a proxy auto configuration (pac) url/file that contains the settings and the client is told to look for that.
You could do it manually as well of course.
No GPO in this company. No onsite Windows Servers.
They do have O365, but only the lowest level - so no Intune either. All manual work at this point. -
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.
I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.
yeah - I have no real idea how to make your suggestion work.
I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.
Since proxies are in heavy use in enterprise environments, all browsers and OSes have good support for setting up proxies.
If we're talking windows I think the normal way is to use GPO to push out setting. Usually there is a proxy auto configuration (pac) url/file that contains the settings and the client is told to look for that.
You could do it manually as well of course.
No GPO in this company. No onsite Windows Servers.
They do have O365, but only the lowest level - so no Intune either. All manual work at this point.Well, doing it manually you search for proxy settings in Windows 10. And add an URL. That URL contains a script that tells your client when to use a proxy and when not.
-
The proxy file will look something like this:
function FindProxyForURL(url, host) { if (dnsDomainIs(host, ".saas.com")) return "PROXY yourproxy:443"; else return "DIRECT"; }You can host it on your proxy server if you use apache or nginx. Or github or where ever.
If you want to change something in the client's proxy settings, you only need to change this file. -
To find out how to configure a proxy server just search for forward proxy:
https://duckduckgo.com/?q=forward+proxy+nginx
https://duckduckgo.com/?q=forward+proxy+apacheYou'll find more info on how to set up reverse proxies because that is what everybody does all the time. But a forward proxy is just a matter of a slightly different configuration with the same software.
-
@pete-s said in appear to come from an IP:
To find out how to configure a proxy server just search for forward proxy:
https://duckduckgo.com/?q=forward+proxy+nginx
https://duckduckgo.com/?q=forward+proxy+apacheYou'll find more info on how to set up reverse proxies because that is what everybody does all the time. But a forward proxy is just a matter of a slightly different configuration with the same software.
Thanks. I hope I can avoid all this horse pucky... but I appreciate the info.
