Remote access security

[micomms]

Remote Acess has been setup on an IPO using Dial In and works ok, using Remote Desktop to a local PC running Manager:

Can remote access be set up in such a way that prevents remote engineer from accessing clients LAN, even if the IPO already has an IP address on the clients LAN, solely for administering the IPO and nothing else? Can the IPO be set up to 'Callback' a pre-defined number?

 

[jayuk2000]

No the ipoffice will not do call back. Also when you connect to the system if you have no remote desktops apps running then you will not be able to get to any of there pc as you will not be on there domain.

 

[micomms]

Ok, when I am remotely connected, I can ping any PC on the clients LAN, and this is a security issue for the client.
Does it matter if I am not in the same domain?

One other thing, if there is no PC running manager locally, I am also having trouble getting manager remotely to locate the IPO over the dial up connection. Have tried turning off firewalls etc. Any ideas ?

 

[BoyRacer1001]

Remote via the .99 subnet will not allow access to the rest of the customers LAN, but will allow administration of the IPO. If you need more than that (VNC to PC) then we can't restrict it if you come in via another IP Route.
Best way then is to use a customer VPN connection which can be better controlled.

 

[micomms]

Thanks for that.

I have tried access via the .99 subnet (as per IP route), but could not get it working. I set a static IP of 192.168.99.1 on my windows dial up connection, but couln't connect to the IPO.....do I need to deactivate DHCP completely on the IPO...what am i missing (documentation is no help?

 

[micomms]

Actually, to correct myself. I WAS able to Dial In and connect to IPO successfully, using a .99 subnet address on my local PC, however, problem is I can't pull a config off the IPO when using Manager.

 

[tlpeter]

actualy you can use remote desktop when you dail in
but only if you make a route from the pc to the ipo
a network guy knows how to do this

 

[intrigrant]

Yes the IPO can call back a predefined number for remote access.

Callback
Create a normal service and a RAS with the same name as your dial-in account, by default RemoteManager.
In the service you can program a telephone number and activate the option "callbackCP" in the PPP settings.
In the dial-up settings on your PC enable "LCP extensions" on the network page > settings of the type of dial-up connection.

Cannot open config of IP Office
You must set the discovery in manager>preferences to 255.255.255.255 and disconnect all network connections on your dial-up PC before make a dial up connection.

Access computers on the customer network
If you enable Proxy ARP on the IP Route to RemoteManager and you use a IP Address in your dial-up settings in the same subnet as your customer then you can access PCs in the customer network with remote derktop or VNC.

 

[micomms]

Thanks for that, much appreciated.

I had some Cisco VPN client s/w which was preventing opening a config with Manager...uninstalling fixed it.

I will try the callback setup and see.

Apart from callback, is there another way of configuring the IPO to limit remote access to the IPO alone (using dial up)? What is the point of the '192.168.99.0' IP Route to remote manager?

 

[micomms]

Got it sorted out.

Turned off DHCP, allocated a .99 address to my PC, added an R____ short code to RemoteManager for CLID matching. It now limits access to IPO only, plus the matching CLI restriction, makes it much more secure.

Cheers.