appear to come from an IP
-
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.
I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.
yeah - I have no real idea how to make your suggestion work.
I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.
-
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.
I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.
yeah - I have no real idea how to make your suggestion work.
I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.
Since proxies are in heavy use in enterprise environments, all browsers and OSes have good support for setting up proxies.
If we're talking windows I think the normal way is to use GPO to push out setting. Usually there is a proxy auto configuration (pac) url/file that contains the settings and the client is told to look for that.
You could do it manually as well of course.
-
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.
I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.
yeah - I have no real idea how to make your suggestion work.
I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.
Since proxies are in heavy use in enterprise environments, all browsers and OSes have good support for setting up proxies.
If we're talking windows I think the normal way is to use GPO to push out setting. Usually there is a proxy auto configuration (pac) url/file that contains the settings and the client is told to look for that.
You could do it manually as well of course.
No GPO in this company. No onsite Windows Servers.
They do have O365, but only the lowest level - so no Intune either. All manual work at this point. -
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websitesIn your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websitesIt's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
I'm looking for the name of a proxy in this case - what product to use?
Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.
I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.
yeah - I have no real idea how to make your suggestion work.
I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.
Since proxies are in heavy use in enterprise environments, all browsers and OSes have good support for setting up proxies.
If we're talking windows I think the normal way is to use GPO to push out setting. Usually there is a proxy auto configuration (pac) url/file that contains the settings and the client is told to look for that.
You could do it manually as well of course.
No GPO in this company. No onsite Windows Servers.
They do have O365, but only the lowest level - so no Intune either. All manual work at this point.Well, doing it manually you search for proxy settings in Windows 10. And add an URL. That URL contains a script that tells your client when to use a proxy and when not.
-
The proxy file will look something like this:
function FindProxyForURL(url, host) { if (dnsDomainIs(host, ".saas.com")) return "PROXY yourproxy:443"; else return "DIRECT"; }
You can host it on your proxy server if you use apache or nginx. Or github or where ever.
If you want to change something in the client's proxy settings, you only need to change this file. -
To find out how to configure a proxy server just search for forward proxy:
https://duckduckgo.com/?q=forward+proxy+nginx
https://duckduckgo.com/?q=forward+proxy+apacheYou'll find more info on how to set up reverse proxies because that is what everybody does all the time. But a forward proxy is just a matter of a slightly different configuration with the same software.
-
@pete-s said in appear to come from an IP:
To find out how to configure a proxy server just search for forward proxy:
https://duckduckgo.com/?q=forward+proxy+nginx
https://duckduckgo.com/?q=forward+proxy+apacheYou'll find more info on how to set up reverse proxies because that is what everybody does all the time. But a forward proxy is just a matter of a slightly different configuration with the same software.
Thanks. I hope I can avoid all this horse pucky... but I appreciate the info.
-
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
To find out how to configure a proxy server just search for forward proxy:
https://duckduckgo.com/?q=forward+proxy+nginx
https://duckduckgo.com/?q=forward+proxy+apacheYou'll find more info on how to set up reverse proxies because that is what everybody does all the time. But a forward proxy is just a matter of a slightly different configuration with the same software.
Thanks. I hope I can avoid all this horse pucky... but I appreciate the info.
No problem. I wanted to share some info on proxies since it sounds more complicated than it is and it's a staple in the enterprise space. And proxies are available as services too.
-
@dashrender said in appear to come from an IP:
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Any other suggestions from anyone?
Actually ask them how they can both say that they need this software AND continue using it knowing that at any moment access to it could evaporate and they'll be stuck.
Sadly - so many just don't understand this. And there aren't as many options for pharmacy software as you might think.
I would actually assume there to only be 1 or 2 options anywhere.
-
@dustinb3403 said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Any other suggestions from anyone?
Actually ask them how they can both say that they need this software AND continue using it knowing that at any moment access to it could evaporate and they'll be stuck.
Sadly - so many just don't understand this. And there aren't as many options for pharmacy software as you might think.
I would actually assume there to only be 1 or 2 options anywhere.
I've yet to encounter any field like that. Everyone says it, but any field we actually look into there are so many options and just no one cares to evaluate them. Veterinary we work with all the time and there must be at least thirty, but no one in veterinary knows them or would evaluate them. The biggest products in use are the worst ones because anyone who doesn't rely on IT vetting on these things will always gravitate towards ancient, abandoned code.
-
@scottalanmiller said in appear to come from an IP:
@dustinb3403 said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Any other suggestions from anyone?
Actually ask them how they can both say that they need this software AND continue using it knowing that at any moment access to it could evaporate and they'll be stuck.
Sadly - so many just don't understand this. And there aren't as many options for pharmacy software as you might think.
I would actually assume there to only be 1 or 2 options anywhere.
I've yet to encounter any field like that. Everyone says it, but any field we actually look into there are so many options and just no one cares to evaluate them. Veterinary we work with all the time and there must be at least thirty, but no one in veterinary knows them or would evaluate them. The biggest products in use are the worst ones because anyone who doesn't rely on IT vetting on these things will always gravitate towards ancient, abandoned code.
This is likely the situation.
Changing software packages like this are often a HUGE time sync and productivity reducer that most hate doing it.
Additionally, I can of course suggest this course of action, but in most of these cases, if not all, I'm not considered a voice in these decisions. -
@scottalanmiller said in appear to come from an IP:
The biggest products in use are the worst ones because anyone who doesn't rely on IT vetting on these things will always gravitate towards ancient, abandoned code.
I don't disagree they will end up there in many cases - but what makes you say they will gravitate? the fact that they are the biggest/most advertised/know by word of mouth? certainly you're not implying they would purposefully pick a product with abandoned code?
-
@dashrender said in appear to come from an IP:
@scottalanmiller said in appear to come from an IP:
The biggest products in use are the worst ones because anyone who doesn't rely on IT vetting on these things will always gravitate towards ancient, abandoned code.
I don't disagree they will end up there in many cases - but what makes you say they will gravitate? the fact that they are the biggest/most advertised/know by word of mouth? certainly you're not implying they would purposefully pick a product with abandoned code?
Because the nature of business people who ignore important factors is to focus on easily visible ones like age, popularity, name recognition, cost, experience, etc. all things that favour old and abandoned software because ghost ship software has the highest profit margins making it the easiest to advertise, promote, discount, etc.
-
Took more than a week - but ultimately Scott ended up being correct - the lock down is not about security - but instead about licensing.
In fact the client was told - if you want full time access from another location, they'd have to license a second location.
Of course this doesn't solve the real problem - wanting to be able to work from anywhere.
Looks like I'll be setting up a proxy server.
-
Well - this vendor has called me back this morning (last bit of information was passed from the owner from a conversation they had with the vendor).
The vendor knows we are looking for remote access - specifically so we can run reports from home.
rep said - oh, you need that OK sure, fine - give me the user and their home IP and I'll get that added.
me - uh - home ISPs change IPs, sometimes daily - how are we supposed to keep you updated?
rep - oh - they'll have to give us the new IP so we can add it
me - /sigh - does your system support dynamic DNS based OK I screwed up - I should have just asked - Can you put an internet resolvable host name in your list instead of an IP?
rep - oh yeah I know what DDNS is
me - ok do you support it?
rep - well if you're attaching to your server using some type of VPN
me - no, that's not what DDNS is, I explain DDNS
rep - oh, I don't know if our system supports hostnames
me - can you check?
rep - sure
click
Of course this kinda flies in the face of the licensing issue the owner was told, but there's still hope - though very very little.