3161 – Support for reaching multiple machines using only one IP and port

Bug 3161 - Support for reaching multiple machines using only one IP and port

Summary: Support for reaching multiple machines using only one IP and port

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	3.0.0
Hardware:	PC Unknown

Importance:	P2 Enhancement
Target Milestone:	MediumPrio
Assignee:	Peter Åstrand

URL:
Keywords:

Duplicates (1):	4358 (view as bug list)
Depends on:
Blocks:

Reported:	2009-06-02 14:36 CEST by Peter Åstrand
Modified:	2024-09-02 08:15 CEST (History)
CC List:	4 users (show)

See Also:	3003 500 4358 4952 5394 445
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Peter Åstrand cendio

2009-06-09 11:20:10 CEST

HTTP proxies might also be an alternative.

Comment 2 Peter Åstrand cendio

2009-10-12 14:14:13 CEST

While we currently leans towards HTTP proxies, there are arguments for SOCKS as well. For example, ssh actually has built-in socks server support. There's also some discussions on the VNC list about adding SOCKS support to TigerVNC.

Comment 3 Karl Mikaelsson cendio

2012-06-27 12:20:36 CEST

OpenSSH does support SOCKS proxies nowadays.

See for instance http://www.debian-administration.org/articles/449

Comment 5 Karl Mikaelsson cendio

2016-10-18 15:59:12 CEST

See also: bug 3003.

Comment 7 Pierre Ossman cendio

2019-10-24 07:06:19 CEST

There are two main ways of doing this, either by having some ThinLinc specific gateway (like Microsoft and Citrix does things), or by having a more standardised reverse proxy (using something like bug 500).

The problem with the second approach is how to configure clients. Manually pushing configuration to all clients doesn't really scale well. And you don't want to force users to reconfigure their proxy settings when switching servers.

One idea on how to deploy this is TXT records. Look at DNS-SD for an example of how they can be used to effectively convey out of band details.

The big question is how feasible it is for administrators to configure their DNS zones in this way.

Comment 9 Pierre Ossman cendio

2021-12-14 16:00:50 CET

https://community.thinlinc.com/t/jumphost-support/275

Comment 11 Samuel Mannehed cendio

2022-07-26 18:32:20 CEST

https://community.thinlinc.com/t/another-tunneling-question/402/3

Comment 12 Pierre Ossman cendio

2022-10-25 13:18:18 CEST

*** Bug 4358 has been marked as a duplicate of this bug. ***

Comment 18 Pierre Ossman cendio

2024-09-02 08:10:03 CEST

(In reply to Pierre Ossman from comment #7)
> There are two main ways of doing this, either by having some ThinLinc
> specific gateway (like Microsoft and Citrix does things), ...

For reference, Microsoft's product for this is called "RD Gateway". It is often touted as a security improvement, but it doesn't improve much in the way of security, as it uses the same authentication methods as the RDP server. It is fewer machines to keep fully updated, though.

It tunnels RDP over HTTPS, which should make it more friendly for more complex network setups. Unclear exactly what HTTP mechanism it uses, though. It is old, so likely not WebSockets.

Microsoft has not solved the user side of things well. Their client can either get a single setting from GPO, or the user can manually enter a single value. This means it is annoying for users connected to different sites.

Their client at least has the option of caching the credentials used for the gateway for reuse to the RDP server.

Note You need to log in before you can comment on or make changes to this bug.