Guest Mike Posted July 19, 2007 Posted July 19, 2007 Hi all, I have a PC that is running Windows XP and there are multiple user environments present (similar to a terminal server) whereby there is the console (sitting in front of the PC) and then individual user windows sessions for other users attaching through lets say RDP(but not RDP). In each windows session/environment there is a network application (similar to telnet) that must attach to an application server(on a different but nearby subnet). The application server only will accept connections from 1 IP address therefore the first user to launch the application connects and the rest get denied. I need to make each session appear to be coming from a different IP on this subnet. My idea is to have each user create a PPTP/L2TP connection to a local RRAS server on the subnet, thereby getting a unique IP address by which I want the network application to use as it's source address when connecting to the application server. I tried this and I did obtain the IP address, however when I tried to connect to the app server I found my source was still using the WinXP systems IP address for example 10.0.0.3 (instead of 10.0.0.6 obtained through DHCP in RRAS). I found this by using netstat -n -o. Any ideas on how to get this to work either my way or another way? Thanks, Mike
Guest Phillip Windell Posted July 19, 2007 Posted July 19, 2007 Re: Tunnel traffic through RRAS server on same physical network and subnet "Mike" <mike008usNO-SPAM@yahoo.com> wrote in message news:OM5xOIcyHHA.1164@TK2MSFTNGP02.phx.gbl... To the question in the subject line,...No,...that is not going to happen. A VPN Device is a type of "router",...routing requires different subnets on each "side". And even if that was not true it is still going to show comming from the Clients regular IP# anyway. > I have a PC that is running Windows XP and there are multiple user > environments present (similar to a terminal server) whereby there is the > console (sitting in front of the PC) and then individual user windows > sessions for other users attaching through lets say RDP(but not RDP). So it is a Terminal Session,...it doesn't matter who makes it. It is the same principle as the old systems with the "green screen" terminals of the 1970's and 1980's. > In each windows session/environment there is a network application > (similar to telnet) that must attach to an application server(on a > different but nearby subnet). The application server only will accept > connections from 1 IP address therefore the first user to launch the > application connects and the rest get denied. I need to make each session > appear to be coming from a different IP on this subnet. What is a "Windows session/environment"? Please don't "make up" terms. We have to "speak the same language" and then actually know what each other means by it if we are to get anywhere. You are either running a Telnet session directly from the PC,..or you are running a Telnet session inside the Terminal Session. If it is run from the PC then it will always be comming from the PC's IP#. But if it is a Telnet session run from within a Terminal Session then it will always be comming from the IP of the "terminal server". > My idea is to have each user create a PPTP/L2TP connection to a local RRAS > server on the subnet, thereby getting a unique IP address by which I want > the network application to use as it's source address when connecting to > the application server. Not gonna happen. > I tried this and I did obtain the IP address, however when I tried to > connect to the app server I found my source was still using the WinXP > systems IP address for example 10.0.0.3 (instead of 10.0.0.6 obtained > through DHCP in RRAS). I found this by using netstat -n -o. If you are Telneting to the Application and it shows the PC's IP#,..then this is not running over a Terminal Session,...it could even be that the Terminal Server thing is not truely even a Terminal Server as you thought it was and therefore the Session is not a true Terminal Session as you thought it was. The real fix for this is for the people who wrote the Application to fix the thing so it is not limited to a single Client IP. That is a rediculas requirement and any programmer who wrote it that way either doesn't live in the real world or doesn't know what they are doing. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Guest Mike Posted July 19, 2007 Posted July 19, 2007 Re: Tunnel traffic through RRAS server on same physical network and subnet Phillip, I don't think you understand and are probably not qualified to be in this discussion. If you'd like to reply please limit your response to helpful insight or questions that might help you further understand the problem. There is no option for changing the way this application server accepts connections(welcome to the real world). It is a 3rd party solution that is connected to on a private communication link. They will only accept 1 connection per IP address. The Windows XP machine where I'm trying to get multiple connections to originate from is not a terminal server from Microsoft, yet it is running Terminal server software from Ncomputing.com. NComputing sells dumb terminals. These terminals connect to the software installed on the WinXP PC. Each terminal session gets it's own Windows desktop session independent of the console and other sessions. Applications installed on the PC are accessible to all users connected either through the console or dumb terminal. I need a way to make this application or all applications in a given terminal session to originate traffic from a different IP address than the XP PC. From one of these terminals I can create a PPTP connection to a server on the same LAN to obtain a unique IP. Now I just need to force traffic though the PPTP interface. Either that or a different solution. Any positive advice is appreciated. Thanks, Mike "Phillip Windell" <philwindell@hotmail.com> wrote in message news:O13vZTiyHHA.1100@TK2MSFTNGP06.phx.gbl... > "Mike" <mike008usNO-SPAM@yahoo.com> wrote in message > news:OM5xOIcyHHA.1164@TK2MSFTNGP02.phx.gbl... > > To the question in the subject line,...No,...that is not going to happen. > A VPN Device is a type of "router",...routing requires different subnets > on each "side". And even if that was not true it is still going to show > comming from the Clients regular IP# anyway. > >> I have a PC that is running Windows XP and there are multiple user >> environments present (similar to a terminal server) whereby there is the >> console (sitting in front of the PC) and then individual user windows >> sessions for other users attaching through lets say RDP(but not RDP). > > So it is a Terminal Session,...it doesn't matter who makes it. It is the > same principle as the old systems with the "green screen" terminals of the > 1970's and 1980's. > >> In each windows session/environment there is a network application >> (similar to telnet) that must attach to an application server(on a >> different but nearby subnet). The application server only will accept >> connections from 1 IP address therefore the first user to launch the >> application connects and the rest get denied. I need to make each >> session appear to be coming from a different IP on this subnet. > > What is a "Windows session/environment"? Please don't "make up" terms. We > have to "speak the same language" and then actually know what each other > means by it if we are to get anywhere. > > You are either running a Telnet session directly from the PC,..or you are > running a Telnet session inside the Terminal Session. If it is run from > the PC then it will always be comming from the PC's IP#. But if it is a > Telnet session run from within a Terminal Session then it will always be > comming from the IP of the "terminal server". > >> My idea is to have each user create a PPTP/L2TP connection to a local >> RRAS server on the subnet, thereby getting a unique IP address by which I >> want the network application to use as it's source address when >> connecting to the application server. > > Not gonna happen. > >> I tried this and I did obtain the IP address, however when I tried to >> connect to the app server I found my source was still using the WinXP >> systems IP address for example 10.0.0.3 (instead of 10.0.0.6 obtained >> through DHCP in RRAS). I found this by using netstat -n -o. > > If you are Telneting to the Application and it shows the PC's IP#,..then > this is not running over a Terminal Session,...it could even be that the > Terminal Server thing is not truely even a Terminal Server as you thought > it was and therefore the Session is not a true Terminal Session as you > thought it was. > > The real fix for this is for the people who wrote the Application to fix > the thing so it is not limited to a single Client IP. That is a rediculas > requirement and any programmer who wrote it that way either doesn't live > in the real world or doesn't know what they are doing. > > -- > Phillip Windell > http://www.wandtv.com > > The views expressed, are my own and not those of my employer, or > Microsoft, or anyone else associated with me, including my cats. > ----------------------------------------------------- > >
Guest Phillip Windell Posted July 19, 2007 Posted July 19, 2007 Re: Tunnel traffic through RRAS server on same physical network and subnet "Mike" <mike008usNO-SPAM@yahoo.com> wrote in message news:u9EPqDkyHHA.464@TK2MSFTNGP02.phx.gbl... > Phillip, I don't think you understand and are probably not qualified to be > in this discussion. If you'd like to reply please limit your response to > helpful insight or questions that might help you further understand the > problem. After being involved with this stuff since the days of DOS and spending 8 years as an IT Manager at an NBC Affiate TV Station that has more electronics, networking devices, and proprietary software than many IT people have seen in thier entire life, and then 3 or 4 years as an MS MVP for MS's Firewall Product, ISA Server, after it replaced the old MS Proxy2,...I suspect I am qualified. Possibly not understanding your situation? I'll give you that,..that is certainly possible,...that's why I asked in the last post that you explain things carefully with correct terminology,...all I have are words on the screen to work with,...I cannot see what you are looking at for myself. > There is no option for changing the way this application server accepts > connections(welcome to the real world). It is a 3rd party solution that > is connected to on a private communication link. They will only accept 1 > connection per IP address. Non-sense, ...if it can be written,...it can be patched or replaced with a newer version. Just ask MS, there are over 100 patch for XP-SP2 at this point. Everything is 3rd party relative to someone else,...to Sun Microsystems, Windows XP is a 3rd party product. > The Windows XP machine where I'm trying to get multiple connections to > originate from is not a terminal server from Microsoft, yet it is running > Terminal server software from Ncomputing.com. Yes, that is exactly what I pictured and described. > NComputing sells dumb terminals. These terminals connect to the software > installed on the WinXP PC. Each terminal session gets it's own Windows > desktop session independent of the console and other sessions. > Applications installed on the PC are accessible to all users connected > either through the console or dumb terminal. Yes, it is acting as a Terminal Server. "Terminal Server" is also a generic term (a server remote controlled by terminals),...it doesn't have to mean an MS product. > I need a way to make this application or all applications in a given > terminal session to originate traffic from a different IP address than the > XP PC. Sorry it isn't going to happen. > From one of these terminals I can create a PPTP connection to a server on > the same LAN to obtain a unique IP. Now I just need to force traffic > though the PPTP interface. You can't. The source IP# of the traffic is always going to be the Nic that matches the subnet the target is on (if target server is the same subnet) or will match the Nic with the Default Gateway. If the machine has multiple Nics on the same subnet (which you aren't supposed to do) then the source IP# will be the one of the Nic that is the highest priority in the binding order. If you have a single nic with multiple IP#s then the source IP# will always be the Primary IP# of the Nic. > Either that or a different solution. > > Any positive advice is appreciated. I'm sorry if you don't appreciate what I am telling you, but the truth may not always be "positive". You have two options, probably you won't like either,....one would cost the developing company money,...the other would cost you money. [The best choice] 1. The Applcation needs to be configured, patched, or re-written to be "IP neutral" in how it handles connections. Correctly written applications would identify the session by the Random Client Source Port and the IP# as a combined pair,...not simply the IP# by itself. That is short sightedness of the developers. [not the best choice, but should work] 2. Use multiple XP machines with the Ncomputing software on each one and one Ncomputing Terminal connecting to each one. Now you will have a differnet IP# for each user. If you are short on Hardware for this you can make up for a few by using Virtual PC with multiple Virtual Machines running on them. The number of them is limited by the CPU and memory of the hardware. A 2gig CPU with 2 Gig or RAM can probably easily run one copy of XP plus 3 or 4 copies in Virtual Machines. You still have to own all the XP copies you use, but it does save on hardware. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- Understanding the ISA 2004 Access Rule Processing http://www.isaserver.org/articles/ISA2004_AccessRules.html Troubleshooting Client Authentication on Access Rules in ISA Server 2004 http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc Microsoft Internet Security & Acceleration Server: Partners http://www.microsoft.com/isaserver/partners/default.asp Microsoft ISA Server Partners: Partner Hardware Solutions http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx -----------------------------------------------------
Guest Mike Posted July 20, 2007 Posted July 20, 2007 Re: Tunnel traffic through RRAS server on same physical network and subnet Phillip thank you for your detailed explanation and contribution. I suspect the 3rd party does this partially for ease on their part and partially for licensing. They charge per host and each host is setup in their Unix systems' host file. Regardless they won't be changing the way they operate. I have tried running the Ncomputing software inside of a virtual PC already. It does work, but it does so slowly. The Ncomputing software either takes too much resources to run inside the VM or the PC doesn't have enough resources. I'm thinking it's more of the first than the latter, because the system is fairly new. Either way I have not found this to be a workable solution. I really thought the PPTP would work because the whole point of tunneling is to force traffic through secure tunnel(even if it is on the LAN). I'd still like to pursue this and was thinking maybe I can modify the route table of the PC so it can only make it to the PPTP server on the LAN (via the physical NIC maybe with a /30 mask), then when the PPTP session is esablished it will route all other LAN traffic through there. If that doesn't work something else should. I've thought about setting up a proxy to try to change the source IP. If IP spoofing is possible, then this should be as well. I understand it's complex, but I don't believe there is no solution. Any other suggestions are surely appreciated. Thanks, Mike The 3rd party will never change the system. I suspect they have this setup "Phillip Windell" <philwindell@hotmail.com> wrote in message news:e7quC4kyHHA.4712@TK2MSFTNGP04.phx.gbl... > "Mike" <mike008usNO-SPAM@yahoo.com> wrote in message > news:u9EPqDkyHHA.464@TK2MSFTNGP02.phx.gbl... >> Phillip, I don't think you understand and are probably not qualified to >> be in this discussion. If you'd like to reply please limit your response >> to helpful insight or questions that might help you further understand >> the problem. > > After being involved with this stuff since the days of DOS and spending 8 > years as an IT Manager at an NBC Affiate TV Station that has more > electronics, networking devices, and proprietary software than many IT > people have seen in thier entire life, and then 3 or 4 years as an MS MVP > for MS's Firewall Product, ISA Server, after it replaced the old MS > Proxy2,...I suspect I am qualified. > > Possibly not understanding your situation? I'll give you that,..that is > certainly possible,...that's why I asked in the last post that you explain > things carefully with correct terminology,...all I have are words on the > screen to work with,...I cannot see what you are looking at for myself. > >> There is no option for changing the way this application server accepts >> connections(welcome to the real world). It is a 3rd party solution that >> is connected to on a private communication link. They will only accept 1 >> connection per IP address. > > Non-sense, ...if it can be written,...it can be patched or replaced with a > newer version. Just ask MS, there are over 100 patch for XP-SP2 at this > point. Everything is 3rd party relative to someone else,...to Sun > Microsystems, Windows XP is a 3rd party product. > >> The Windows XP machine where I'm trying to get multiple connections to >> originate from is not a terminal server from Microsoft, yet it is running >> Terminal server software from Ncomputing.com. > > Yes, that is exactly what I pictured and described. > >> NComputing sells dumb terminals. These terminals connect to the software >> installed on the WinXP PC. Each terminal session gets it's own Windows >> desktop session independent of the console and other sessions. >> Applications installed on the PC are accessible to all users connected >> either through the console or dumb terminal. > > Yes, it is acting as a Terminal Server. "Terminal Server" is also a > generic term (a server remote controlled by terminals),...it doesn't have > to mean an MS product. > >> I need a way to make this application or all applications in a given >> terminal session to originate traffic from a different IP address than >> the XP PC. > > Sorry it isn't going to happen. > >> From one of these terminals I can create a PPTP connection to a server on >> the same LAN to obtain a unique IP. Now I just need to force traffic >> though the PPTP interface. > > You can't. The source IP# of the traffic is always going to be the Nic > that matches the subnet the target is on (if target server is the same > subnet) or will match the Nic with the Default Gateway. If the machine > has multiple Nics on the same subnet (which you aren't supposed to do) > then the source IP# will be the one of the Nic that is the highest > priority in the binding order. If you have a single nic with multiple IP#s > then the source IP# will always be the Primary IP# of the Nic. > >> Either that or a different solution. >> >> Any positive advice is appreciated. > > I'm sorry if you don't appreciate what I am telling you, but the truth may > not always be "positive". > > You have two options, probably you won't like either,....one would cost > the developing company money,...the other would cost you money. > > [The best choice] > 1. The Applcation needs to be configured, patched, or re-written to be "IP > neutral" in how it handles connections. Correctly written applications > would identify the session by the Random Client Source Port and the IP# as > a combined pair,...not simply the IP# by itself. That is short > sightedness of the developers. > > [not the best choice, but should work] > 2. Use multiple XP machines with the Ncomputing software on each one and > one Ncomputing Terminal connecting to each one. Now you will have a > differnet IP# for each user. If you are short on Hardware for this you > can make up for a few by using Virtual PC with multiple Virtual Machines > running on them. The number of them is limited by the CPU and memory of > the hardware. A 2gig CPU with 2 Gig or RAM can probably easily run one > copy of XP plus 3 or 4 copies in Virtual Machines. You still have to own > all the XP copies you use, but it does save on hardware. > > -- > Phillip Windell > http://www.wandtv.com > > The views expressed, are my own and not those of my employer, or > Microsoft, or anyone else associated with me, including my cats. > ----------------------------------------------------- > Understanding the ISA 2004 Access Rule Processing > http://www.isaserver.org/articles/ISA2004_AccessRules.html > > Troubleshooting Client Authentication on Access Rules in ISA Server 2004 > http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc > > Microsoft Internet Security & Acceleration Server: Partners > http://www.microsoft.com/isaserver/partners/default.asp > > Microsoft ISA Server Partners: Partner Hardware Solutions > http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx > ----------------------------------------------------- > >
Guest Phillip Windell Posted July 20, 2007 Posted July 20, 2007 Re: Tunnel traffic through RRAS server on same physical network and subnet "Mike" <mike008usNO-SPAM@yahoo.com> wrote in message news:uzOXE0uyHHA.3916@TK2MSFTNGP02.phx.gbl... > I have tried running the Ncomputing software inside of a virtual PC > already. It does work, but it does so slowly. The Ncomputing software > either takes too much resources to run inside the VM or the PC doesn't > have enough resources. Did you install the Virtual Machine Additions on the Guest OS after it was put into place? After the VMAs are installed the performace can jump up drastically. Without the Virtual Machine Additions the performance is just plain horrible no matter how good the hardware is. > I really thought the PPTP would work because the whole point of tunneling > is to force traffic through secure tunnel(even if it is on the LAN). I'd > still like to pursue this and was thinking maybe I can modify the route > table of the PC so it can only make it to the PPTP server on the LAN (via > the physical NIC maybe with a /30 mask), then when the PPTP session is > esablished it will route all other LAN traffic through there. I just noticed this in your earlier post: -------------------------------------------------- > there is a network application (similar to telnet) that must attach to an > application server(on a different but nearby subnet). -------------------------------------------------- Since the XP machine is a different subnet from the target server it would appear that that there might be hope. Sorry, in the first posts I thought it was all one subnet,...this was due to the message's subject line and when you described the user receiving 10.0.0.6 with the VPN while the PC was 10.0.0.3,...those are the same subnet and won't work correctly,...so I thought everything was running over a single subnet In your first post you described this: ----------------------------------------------------- My idea is to have each user create a PPTP/L2TP connection to a local RRAS server on the subnet, thereby getting a unique IP address by which I want the network application to use as it's source address when connecting to the application server. I tried this and I did obtain the IP address, however when I tried to connect to the app server I found my source was still using the WinXP systems IP address for example 10.0.0.3 (instead of 10.0.0.6 obtained through DHCP in RRAS). I found this by using netstat -n -o. -------------------------------------------------------- This failed because the user received an IP# from the same subnet (10.0.0.x) that the PC was already a part of on its own. This creates the same effect as having two nics in a machine from the same subnet and it would fail as I described in earlier posts. Here are two things to consider.... 1. The item "Use gateway on remote network" in the user's VPN Connectiod needs to be enabled. 2. The VPN box needs to be a duel nic box and must sit between the subnet of the users and the subnet of the target server. It must have an interface on each subnet with the "user side" of it being the side that accepts the incomming VPN connection. The user then gets an IP# from the subnet of the Target server and that should be the IP the connection appears to come from. You still have the problem of the XP machine already having a valid path to the target server which could cause it to follow that path and always use the main IP of the PC. However, as long as the "Use gateway on remote network" is enabled on the user's VPN Connectiod it may force it over the established VPN connection I'm not positive it will work correctly, but if it does, I think it will have to be done along those lines. I still think the VPC method is easier and cleaner apart from the expense of buying the additional copies of XP. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Recommended Posts