Remote Access

The Point-to-Point Tunneling Protocol (PPTP) is used to create client-to-server Virtual Private Networks (VPNs).

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is used to provide strong, certificate-based mutual authentication between the VPN client and server.

MPPE (Microsoft Point-to-Point Encryption) with 128-bit encryption is used for encrypting the PPP payloads. The use of MPPE-128 may not be appropriate in all environments. If it does not meet your required security standards, do not use this VPN feature.

Note: The PPTP Settings (Client-to-Server VPN) is not available if you are on the SMB Controller.

The IP addresses for PPTP clients are allocated from within the local subnet range managed by the DHCP server. The addresses are taken from the last portion of the range, and the number used depends on the “Number of PPTP clients” that you program.

For example, if you program “10” as the “Number of PPTP clients” for local subnet 192.168.1.10 to 192.168.1.100, then the last ten addresses in the range (.11 to .100) will be allocated to PPTP clients for VPNs.

If necessary, you can increase the total number of addresses available to all clients by modifying the local subnet range. For details see Configure DHCP Server.

Enable VPN Access

To enable VPN access:

  1. Under Security click Remote access.
  2. Under PPTP Settings in the Remote Access panel, enter the number of individual PPTP clients that will be allowed to connect to the server simultaneously. This can be the total number of remote PPTP clients in the organization, or, if you have a slow connection to the Internet and do not want all of those PPTP clients to connect at the same time, enter a lower number. Enter 0 to deny PPTP connections.
  3. Click Save. The server is now ready to accept PPTP connections.

Setting Up a VPN Connection on Clients

To create and configure a VPN connection on the user's computer, refer to the Digital VPN Certificates for System Users section in the Mitel Standard Linux Installation and Maintenance Guide on the document center.

Remote Management

Remote management allows hosts on the specified remote IPv4 and IPv6 network(s) to access the server manager of your MSL server. To limit access to the specified host, enter a subnet mask of 255.255.255.255 for IPv4 networks or a CIDR prefix of /128 for IPv6 networks. If your mask allows a range of IP addresses, any hosts within that range can access the server manager using HTTPS. See also Grant Access Privileges to Trusted Local Networks .

To add a remote management network:
  1. Under Security, click Remote access.
  2. Scroll to the Remote Management section.
  3. In the Network field, enter the IP address of the remote host for which you want to allow access.

    • If IPv6 is disabled, in the Subnet mask field, enter an IPv4 subnet mask to limit the range of access (e.g.,255.255.255.255 limits access to the specified IP address).

    • If IPv6 is enabled, in the IPv4 Subnet mask or IPv6 prefix field, enter an IPv4 subnet mask to limit the range of access (e.g.,255.255.255.255 limits access to the specified IP address) or specify an IPv6 prefix (eg. / 64) to define the address range for IPv6.

  5. Click Save.

Secure Shell Settings

About the Secure Shell

Use the Secure Shell Settings section to control access to your server. The public setting should only be enabled by experienced administrators for remote problem diagnosis and resolution. We recommend leaving this parameter set to "No Access" unless you have a specific reason to do otherwise.

Warning: Before allowing secure shell access to the server using standard passwords, please ensure you set a secure admin/root password on the server. With a weak password, an internet-facing server can be compromised very quickly.

Configuring SSH (Secure Shell)

SSH provides a secure, encrypted way to log in to a remote machine across an IPv4 or IPv6 network, or to copy files from a local machine to a server. Programs such as telnet and ftp transmit passwords in plain, unencrypted text across the network or the Internet. SSH and its companion program SCP offer a secure method for logging in or copying files. For more information about SSH Communications Security and its commercial products, visit http://www.ssh.com/.

SSH Access

Accessing an MSL server via SSH is secure when configured properly. When exposing SSH to the Internet or untrusted networks, the following settings are recommended:

  • Secure shell access: Allow access from trusted and remote management networks

  • Allow administrative access over secure shell: Yes, only if required; otherwise, No

  • Allow secure shell access using standard passwords: No

Enabling administrative access (root login) may seem unusual, but it is necessary if the purpose of SSH access is to log in as the root user. The critical security recommendation is to avoid standard password authentication. Instead, use RSA key–based authentication.

RSA Authentication

The RSA algorithm provides a secure form of public key cryptography using a pair of keys:

  • Private key — Commonly named id_rsa. Keep this key confidential.

  • Public key — Commonly named id_rsa.pub. This key is pasted into the Server Manager UI.

Key generation is documented in the OpenSSH ssh-keygen manual and widely available online. On Windows, PuTTY users can generate keys using PuTTYgen. Since PuTTYgen uses its own format, convert the key to OpenSSH format:

  1. Load your private key in PuTTYgen.

  2. Go to Conversions and Export OpenSSH to export an OpenSSH format file.

RSA authentication prevents password-guessing attacks. Even if attackers attempt to brute-force passwords, authentication will fail because login requires possession of the private key. If your private key is ever compromised, generate a new keypair immediately and remove the old key from the server.

OpenSSH, included with the MSL server, is a version of the SSH tools and protocol. The server provides SSH client programs, as well as an SSH server daemon, and supports the SSH2 protocol.

To configure SSH:
  1. Under Security, click Remote access.
  2. Scroll to the Secure shell settings section.
  3. Select a Secure shell access option:
    • No access – (Default) SSH access not allowed.
    • Allow access from trusted and remote management networks – This option enables you to access the server from local networks and remote management networks. To add a remote management network, see Remote Management.
    • Allow public access (entire Internet) – This option enables you to access the server from anywhere on the Internet. It is selectable only if you have configured a strong SSH (system admin) password. If you have a weak password and attempt to select this option, you will receive the following warning: "The system administration password is set to a weak value. The "Allow public access" option in the form below will remain disabled until the system administration password has been reset to a strong value."
  4. Program the configuration options:
    • Allow administrative command line access over secure shell - This option allows someone to connect to the server and log in as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for the system, but in most cases, we recommend setting this option to No.
    • Allow secure shell access using standard passwords - If you set this option to Yes, users will be able to connect to the server using a standard user name and password. This may be a concern from a security perspective, as someone attempting to break into the system could connect to the SSH server and repeatedly enter usernames and passwords in an attempt to find a valid combination. A more secure way to allow SSH access is RSA Authentication, which involves copying an SSH key from the client to the server.
  5. Key-based SSH access - Upload a new public SSH key for remote access to root users:
    • Key description - Enter a label for the SSH key.
    • Public SSH key to upload - Click Choose File to select and upload a public SSH key file.
    Note: The public SSH key must be in OpenSSH format.

    After upload, the table displays the installed SSH key for root users. Select the checkbox under the Delete column to remove the uploaded SSH key and add a new one.

  6. Click Save to apply the SSH configuration.

Once SSH is enabled, connect to the server by launching the SSH client on the remote system. Ensure that it is pointed to the external domain name or IP address for the server. In the default configuration, you will be prompted to enter your user name. Enter "admin" and the administrative password. You will be in the server console. From here, you can modify the server configuration, access the Administrator Portal via a text browser, or perform other server console tasks.

Note: By default, only two user names can be used to log in remotely to the server: "admin" (to access the server console) and "root" (to use the Linux shell). Regular users are not permitted to log in to the server.

Obtaining an SSH Client

Several free software programs offer SSH clients for use in Windows or Mac environments. Starting with Windows 10, OpenSSH is built into MS Windows. Several are extensions of existing telnet programs that include SSH functionality. Two different lists of known clients can be found online at http://www.openssh.com/windows.html and http://www.freessh.org/.

A commercial SSH client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic, and certain non-commercial uses.

Access Server Manager via SSH Tunnel

You can also reach the Server Manager UI using an SSH tunnel. For example:

ssh -L2000:localhost:443 my.msl.server

This command:

  • Creates an SSH session to the server.

  • Forwards your local port 2000 to the server's HTTPS port 443.

After the tunnel is active, open your browser and go to:

https://localhost:2000/server-manager

This loads the Server Manager UI securely through the SSH tunnel.

Managing Digital Certificates

About Digital Certificates

In the MSL server, an IPsec digital certificate is created for each user account after

  • the user account is in the "locked" state, and then the password is set, causing the account to be unlocked.

  • you choose the Reset digital certificates option in the Remote Access panel (see below). If the user's password is already set and VPN client access is enabled, but a certificate does not exist for the user, go to the user-modify panel and click Save to create a new certificate.

Once the certificate is created, the Download button appears on the user modify page, allowing you to download the certificate to a client.

CAUTION:
Watch out for time skew! Ensure that the windows clients and the MSL server have the correct date and time set before starting. Certificates have a start and an end date, and they are only valid between those two dates. The start date is set to the date and time that the certificate was created on the MSL server, so if the clock on the windows client is 12 hours behind, the certificate will not be valid on the client machine for 12 hours after it is created. If you have make a significant change to the date and time on the MSL server you may need to click Reset digital certificates on the Remote Access panel and re-create certificates for all users (following the instructions above).

Importing Digital Certificates

To import certificates on Windows 2000/XP systems:

  1. If you have an export version of Windows 2000 Professional, install the High Encryption Pack or SP2+ from Microsoft's Web site.
  2. Log in to the windows machine as "Administrator".
  3. Access the Server Manager on the MSL server from the machine that you are setting up as the IPsec client. You may need to temporarily allow remote administration access for the client machine's IP address from the Remote Access panel on the MSL server.
  4. From the Users panel, select the user account that will be connecting to the server via the IPsec connection, and then click Modify. If there is a Download button for downloading the certificate, click the button. If there is no Download button, the user does not yet have a certificate (see About Digital Certificates above).
  5. Save the certificate file to a safe place that is not shared on the network, and not accessible to other users on the machine that don't have "administration" privileges.
  6. Click Start and then Run.
  7. Enter "mmc" and then click OK. This will start the Microsoft Management Console.
    • Win2000 only: From the menu, select Console and then Add/Remove Snap-in.
    • WinXP only: From the menu, select File and then Add/Remove Snap-in.
  8. Click Add.
  9. Select the Certificates snap-in. Click Add.
  10. Select Computer account. Click Next.
  11. Select Local computer. Click Finish.
  12. In the Add Standalone Snap-in window, click Close.
  13. In the Add/Remove Snap-in window, click OK.
  14. The Certificates snap-in has now been added.
  15. Expand the Certificates tree by clicking on the plus (+) sign. Right-click on the Personal folder, select All tasks and then Import. The Certificate Import Wizard starts.
  16. Click Next.
  17. The "File to import" box appears. Click Browse.
  18. Change Files of type to Personal Information Exchange (*.pfx, *.p12).
  19. Select the certificate file that you downloaded from the Administrator Portal earlier. Click Open.
  20. In the File to Import dialog. Click Next. There is no password protecting the certificate file.
  21. Click Next.
  22. Select Automatically select the certificate store. Click Next.
  23. Complete the Certificate Import Wizard by clicking Finish.
  24. Right-click on the Certificates tree node and select Refresh to reveal the certificate you just imported.
  25. The imported certificate should now appear in the Personal/Certificates/ sub-folder of the Certificates tree. Click on this sub-folder, and double-click on the certificate. In the certificate information window, select the Certification path tab, and check the Certificate Status.
  26. If the status reports This certificate is OK, then continue to the next step.
  27. If there is a problem with the certificate, you may need to start over. Right-click on the certificate and choose Delete, and then click Yes. Repeat the procedure from Step 4.
  28. Click OK in the certificate information window to close it.
    • Win2000 only: From the menu, select Console and then Save.
    • WinXP only: From the menu, select File and then Save
    .
  29. Keep the default folder, but change the File name field to certificates. Click Save.
  30. You have successfully imported the certificate. Close the MMC window.

Deleting Digital Certificates

The IPSEC digital certificate for a user is removed when the following occurs:

  • The user account is locked.
  • The user account is deleted.
  • VPN Client Access is switched off from the user modify panel.

To manually delete client certificates, go to the Remote Access panel and check the box labeled Reset digital certificates. Click Save.

Parent topic: Remote Access