Here's an odd one... We have an application that uses OLEDB to connect to an Azure SQL database over port 1433.
Users authenticate through a REST API. Once the API has validated the authentication it will fetch the connection details and pass those back to the application which will then attempt to connect to the database using the connection string it builds up using those pieces of information.
The Azure SQL Server Firewall is configured not to let through any IP addresses by default. Our REST API, after authenticating the user, will then determine what their IP address is and add it to the firewall temporarily.
All of this normally works quite well. But with one site we have experienced a strange issue.
When you start a browser and you enter "What's My IP" in the user's browser, it returns an IP Address (IPv4), say, A.B.C.D
I confirm that the REST API also seems to be getting that value for the IP Address, as after authentication I see that the REST API has added A.B.C.D to the firewall rules.
But our application wouldn't connect. Luckily, we have a "direct" mode which connects directly to the database without using the REST API - this is normally used for clients who prefer to keep their databases On Premises. So I switch the app to this "direct" mode and it reports an error.....
The error it comes back with reports that IP Address A.B.E.F isn't allowed to connect to the database.
"What's my IP" still reports A.B.C.D as the site's external IP Address
My question is: How might this situation have arisen? What can we tell their IT support to check or change to prevent this?
Related
I am struggeling to connect to my home server that is connected via a Fritzbox router to the internet. I want to connect to the home server from outside of the home net, as it serves as a NAS and provides HTTP(S) services.
The problem is, that I don't understand how to connect to the server over the internet. My Fritzbox is connected to my internet provider via DS-Lite internet connection. As far as I understood, this means that my Fritzbox has no public IPv4 address and therefore the server is not reachable.
Is it still somehow possible to connect to the server?
Reading your question, I can see that there are multiple steps to solve this.
figure out if your internet provider allows you to have incoming connections
I do not know, what a ds lite connection is. Depending on your connection type, e.g. glass fibre, dsl, mobile and your provider incoming connections might be allowed or not. Also specific ports might be forbidden.
Enable port forwarding for incoming connections to your lan server.
Your fritzbox does not know, where to route the incoming connection to.
Make your lan server ip address static. Go to your fritzbox admin page and create a port forwarding rule and map data incoming on port 80(HTTP) and 443(HTTPS) to the lan server ip address.
You can read further here: https://en.wikipedia.org/wiki/Port_forwarding
Figure out the fritzbox's public ip address by checking out this website from within your lan. https://whatismyipaddress.com/
Connect to your server via http(s)://publicip
setup dynamic dns to have a public domain, which you can use instead of the ip address.
Usually private customer internet connections use dynamic ip addresses. So your ip address changes regularly. This is annoying, because you need to lookup the ip address before you can connect again. To avoid this issue, you can use a dynamic dns provider to give you a domain name, which you can use instead of the public ip address. Your fritzbox should have this kind of functionality already. If not, you can also configure it on your server with a cron job.
You can read further here: https://en.wikipedia.org/wiki/Dynamic_DNS
This provider is easy to use and for free: https://freedns.afraid.org/
use the dynamic dns domain name instead othe public to access your server from anywhere
Be aware, that having open connections to your local network gives attack surface from the public internet. So people might steal or delete data on your server or abuse it in other ways.
I am at a large University, with servers set up on the Univeristy network. The network has internal (10...) IP addresses, and external (129...) IP addresses. I have a ColdFusion-based business process which FTP's data from an external server.
The server on which the ColdFusion instance is based has several (about 10) IP addresses associated with it, both internal and external. It has one primary address, which has been, until recently, external.
Using Wireshark, we have been able see which IP is used, and it is never the primary, but other than that, does not seem to follow any logic.
We recently changed the primary IP for the server to an internal address, to comply with new University-wide security policies, and the FTP connection from Coldfusion stopped working. Using Wireshark, we've confirmed it is going out on one of the internal (10...*) IP addresses (not the primary).
Is there a way to control which IP ColdFusion uses for an FTP connection, either through system configuration, or programmatically?
Code for the FTP call:
var ftpService= new ftp(
username = partnerConfig.sftpLogin,
connection = "MyConnection",
password = partnerConfig.sftpPw,
fingerprint = partnerConfig.sftpFingerprint,
server = partnerConfig.sftpServer,
secure = "yes"
);
var result=ftpService.open();
var result2=ftpService.listdir(directory = partnerConfig.inFolder, name="dirlist");
var result3=result2.getResult();
EDIT: My server guy tells me that this University is fairly unique in how it configures the subnets. NO firewall exceptions are allowed from the 10.* subnet. The "Public" IP's are not public by default, simply the ones which are capable of having exceptions.
FURTHER EXPLANATION: It comes down to the Rules and IP addresses the main IT org at the university set up. the 10.x.x.x IPs are never allowed access outside the university ("internal"). 129.x.x.x IP, may have firewall exceptions ("external"). If I type ipconfig (it's Windows), I see about 10 static IP addresses, half of which are 10.x.x.x, and half of which are 129.x.x.x. When the "primary" IP for the machine was a 129.x.x.x address, Coldfusion chose one of the OTHER 129.x.x.x addresses for the outgoing IP for the connection. With the "primary" IP switched to a 10.x.x.x IP, ColdFusion is choosing one of the OTHER 10.x.x.x addresses for the outgoing connection. My choices, as far as I can tell are 1) Switch the primary back to a 129.x.x.x for the server; 2) Move the site to a different server with a primary of 129.x.x.x, and keep other sites on the server in compliance with the new policy; 3)See if I can figure out how to control which IP Coldfusion chooses from the 10 static IPs on the server.
Our admin figured it out. We needed to add a static route to the server, so that whenever ColdFusion (or any application) tries to connect to the specific destination we were FTPing to, it goes through a specific outgoing IP address.
This was not something I was familiar with, but a quick search gives the basics: http://technet.microsoft.com/en-us/library/dd469825.aspx
You have an internal IP address and you are not sure what the external is? This sound like a network bridge issue. What you are looking for is FTP proxy or some tool that associates an externally assigned IP to an internally assigned IP for port 22 (or whatever you set your port to). Look at: http://wiki.squid-cache.org/Features/FtpGateway
FTP reverse proxy
It sounds like your IPs (even internally may not be static)...or maybe it just feels that way. Make sure your internal IP is static.
Read about FTP port forwarding: Here are some port forwarding guides.
Other keywords FTP bridge, FTP one-to-one mapping, among others.
Good luck.
I had a similar question regarding the cfmail tag:
Force cfmail tag to send from a specfic server IP address
Unfortunately, I didn't get an answer that worked. ColdFusion seems to pick (seemingly at random) which source IP address is used.
According to Obtain client MAC address in ASP.NET Application, it is not possible. I am not entirely convinced because whenever I connect to Tim Hortons WiFi, my MAC address is known.
Occasionally, the network is slow and I see this URL like this before being redirected to the Connect page:
http://timhortonswifi.com/cp/tdl3/index.asp
?cmd=login
&switchip=172.30.129.73
&mac=60:6c:66:17:1a:83
&ip=10.40.66.229
&essid=Tim%20Hortons%20WiFi
&apname=TDL-ON-NEP-02177-WAP1
&apgroup=02177
&url=http%3A%2F%2Fweather%2Egc%2Eca%2Fcity%2Fpages%2Fon-72_metric_e%2Ehtml
So according to this URL, the site knows the IP address of the router, my MAC address, the IP address assigned to my device by the router, the network SSID, some other pieces of information, and the URL I was trying to access prior to connecting.
There's two options: Tim Hortons WiFi Basic and Tim Hortons WiFi Plus, where the "Plus" option allows me to connect to any Tim Hortons WiFi access point in Canada automatically with this device. Registration requires an email address, so I'm assuming this is possible by checking the MAC address and storing it in a database that routers ping upon connection. More info here.
According to the extension of this page, I can safely assume it is ASP. How are they obtaining this information?
When your client traffic reaches the first router, that router will route the traffic to the adecuated port, changing the response MAC address with its own MAC address so the answer will be routed to it. And this will happen for each of the routers the packets travel by. So, at the end, the web server will only see the MAC address of the last router where the answer will be sent to be routed back to the previous roter, and this process repeated until the answer reaches the client.
No, there is not way to obtain the MAC address of client from server side.
But, what you are seeing is a client sending its information to a server. So, the answer can be converted into "how can i obtain my local mac address and send it to the server?".
Browsers do not allow to read this information. Some properly signed/configured ActiveX or Java applets can do it, but they can be blocked, or you can have some device that will not execute java nor activex, so it is not a reliable way of doing it.
In the case in your post, the easiest way of doing it is configuring the wifi access point dhcp or dns server to serve a proxy configuration file that will allow to configure a redirection to the desired web server, redirection that has been created inside the access point, which have all the shown information in your post.
I use to develop my project on my localhost, on apache in ubuntu machine.
Sometimes i need to show progress to my costumer.
Is it possible to access to localhost from remote machine?
You can use a service that provides a tunnel to your local service, such as localtunnel, pagekite or ngrok. These services simplify setting up remote demos, mobile testing and some provide request inspection as well.
I find ngrok useful because it provides a https address, which is needed to test things like webcam access.
Terms used in this answer:
Host = machine with site on it
Client = machine you are trying to access the host from
If the host and client are on the same network, you can access the host from the client by entering
http://(hostname or ip address)
in your client's browser. If the site is not running on port 80 (for http) or port 443 (for https), add the post as so (this example is for if your server is on 8080, a common alternate port):
http://(hostname or ip address):8080
If the host and client are not on the same network, and you need to reach across the internet from the client to see the host, you will need to make your host available on the internet for the client to access.
This can be extremely dangerous for your information security if you're not sure what you're doing and I'd recommend getting a cheap-o hosting account (can get them for like $10/month at places like 1:1 hosting).
There are many methods to do this - the difference is security, easiness of the configuration and cost of the solution.
Following I am typing some methods with some analyses
Port Forwarding (with Dynamic DNS and SSL encryption)
This requires router configuration (to forward your routers public port to loclhoat port), however this requires you to have fixed ip address. In case your ip address is not fixed (in most cases) you need to use Dynamic DNS services to be able to use domain name instead ip address (there are lot of available free services). Here we still have security question open. To solve security question i.e. setup ssl certificate we can use Let’s Encrypt service ( https://letsencrypt.org/ ) to get free certificate, however we should configure local server to use the certificate or we should setup reverse proxy (in most cases nginx or apache) and configure proxy to use certificate.
Conclusion – Hard to setup if we want to have secure connection (can be done for free)
VPN
For this scenario we should use VPN services. We should connect our local machine to VPN then in other side we should connect our client's machine to VPN that will allow us to access to localhost by local IP address. We can set up our own VPN server however this requires knowledge to do it right.
Conclusion – Easy, Paid, Secure, Bad User Experience (connecting to VPN every time you need to connect to localhost)
Tunneling
For this scenario we can use free tunneling services (i.e. https://tunnelin.com/). The process is very straight forward i.e. Register a User, Connect your device to service (by running one line command on device), use Web interface to open/close secure tunnels to the device.
Conclusion – Free, Secure, Easy
Yes, if you have a public and static IP. Usually, ISPs offer static ips during a session (i.e. until you disconnect and connect again)
I would be interested in hearing from anyone that has successfully established a VPN connection through a Sonicwall (TZ-100) device on to a SBS-2008 network as I currently have VPN access (through the Sonicwall Global VPN Client), but I am currently using a local user account from the firewall device.
As I am not establishing the VPN request using my Windows-AD username and password, I am having to enter my windows credentials to access network resources. Launching Outlook does not show my mail (even if I type in my password when promted). If I type in \\MyServerName\SharedFolder into Explorer, then I see the 'offline' sync folders stored on my laptop. On the otherhand, if I type \\192.168.100.10\SharedFolder (lets assume this is the LAN IP4 address for my server), then once I enter my windows credentials, I can see ALL the 'online' folders. Currently, for mail, I am using OWA while connected on the VPN. This current approach is not ideal. I feel there is a DNS, NETBIOS problem with my current set up.
Question, so that I can work from home in a 'normal uninterrupted' manner, do I need to activate 1. Radius by itself?, 2. LDAP by itself? or 3. Radius + LDAP together? Any pointers would be helpful as I would like to approach the Sonicwall support team armed with a little more info and having read some friendly material.
The problem was resolved by changing the DNS address on the Sonicwall device to the server rather than inherritting the external DNS addresses from the ISP. Also the DHCP service was routed to the server for VPN traffic.
There is no need to set up any additional services on the server to get LDAP running on the Sonicwall device. With a little help from the Sonicwall support, my network now works as one would expect.