Tunelling RDP traffic over HTTP proxies
November 25, 2005
Does anyone know of any solutions for tunnelling RDP traffic through an
HTTP proxy?
Thanks in Advance,
Steve
< -> Hi Steve,
Is it just a HTTP proxy (which possibly has a web proxy filter, like for
example ISA Server 2004, or a Squid / ASA implementation), or is it capable
of HTTPS as well?
Does it support Basic authentication or is it Windows Integrated (NTLM,
Kerberos, Negotiate)?
Kind regards,
Jeroen van Meeuwen
< -> Unless you are willing to give more specific information, this is
already built into Windows with IIS and RDP. You can run rdp over
http, or more importantly https.
It works with proxies as well, you will have to do a little work to
get that going.
When you say tunneling, you imply that you want to encapsulate RDP.
You can use VPN or SSH for either. Both are tricky to get running
through a proxy, but it can be done with a little research, a good
idea of how the network is setup, and some work.
< -> www.http-tunnel.com and sockscap (to socksify the RDP software).
< -> GNU HTTP-Tunnel – http://www.nocrew.org/software/httptunnel.html
will allow you to do this, it allows you to tunnel arbitrary ports
over HTTP (and via a proxy if you so chose), there are some drawbacks
though, if you are attempting to evade an application layer firewall
this will likely not help you as the tunnelled data is still ‘visible’
insofar as it’s transferred in the clear, I’m not aware of any
(non-commercial) offerings which will tunnel over SSL.
STunnel – http://www.stunnel.org/
is a universal SSL wrapper that will encrypt communications, note
however that if you wish to tunnel over https rather than just
wrapping your communications in an encrypted tunnel you need Stunnel
wrapping something like HTTP-Tunnel to give you an end-to-end
encrypted tunnel over HTTP which may evade application layer
firewalls.
Morgan
< -> Hi Steve,
If port 443 is open, this enables you to tunnel any protocol. I’m confused
with you saying you need to authenticate with the proxy server first. That
would mean only port 80 and 443 outbound _from the proxy_ is allowed through
the firewall. If that proxy only supports Kerberos authentication, I don’t
know what shell client you could use.
Anyway, here’s the setup I currently use: I have an outside Linux box with
SSHd on port 443, to which I log in using PuTTY, via an ISA 2004 proxy, with
Basic proxy authentication. Tunneling is an option in PuTTY, so that’s what
I use to tunnel my IMAP, RDP, VNC and SMTP.
To get it working in your case, I’ld first verify if it’s only the proxy
that is allowed through the firewall, and whether you are able to let PuTTY
authenticate to the proxy.
Kind regards,
Jeroen van Meeuwen
Posted in Q & A
November 25th, 2005 at 3:19 am
You can do that using Putty.
You go to Tunnels configuration and create something like: L9999 localhost:3389 and point your Remote Desktop Connection to localhost:9999
Now setup your Putty to use an HTTP proxy server:
Connection-> Proxy
NB: ssh server with port forwarding enabled has to run on the remote server.