Alt port connections

Brian Bergin · ‎06-01-2012

Recently I've found several places where they've locked down their Internet access so tight that I'm unable to get to things like RDP or HTTPS through the tunnel created by connecting using OnPlus. Would it be possible to make an option to send the tunnel traffic to RDP over 443 which is much less likely to be blocked by a hotel or university - I was sitting at Appalachian State University connected to their Guest Wi-Fi network, was able to log into the OnPlus Beta Portal, but was unable to RDP to any system via OnPlus but I could get to https sites which suggests to me that 443 is open but even RDP connections on 3389 are blocked there (we still have a couple of customers who insist on running RDP servers on the standard port).

In fact, I'm also unable to get to the OnPlus unit likely becuase the tunnel created is on https://......:11305 which tells me they're blocking most, if not all, non-standard ports too making OnPlus much less effective when not in a controlled environment.

Thanks...
Brian

Michael Holloway · ‎06-04-2012

Hi Brian, it sounds like that network could be blocking connections to TCP port 11305, which the portal uses to proxy 'generic' TCP flows through down to the device. This is pretty much all cross-launch tunnel types other than 'Web' connections to devices. Those 'web' connections are served instead by ports 11700-11800 at the portal, which allows the portal to stay in the middle of HTTP/HTTPS flows and to re-write (fix-up) absolute URLs to relative ones for devices that expect their webpages to only ever be accessed from local IP addresses (usually private RFC1918 addresses) - if that option is selected in the portal.

Moving TCP port 11305 on the portal over to use 443 instead would take some doing on our part, because we already use that port to handle https traffic to the portal shard that you're connecting to. To do this, we'd need to move the generic tunnel proxy off of the portal shard, or add additional IPs to shards and to the all the back-end systems that manage them. It's certainly a possibility for the future of OnPlus, as we're currently looking into those types of scaling issues for the portals as the service expands, but I don't think we could do this in the short-term.

-mike

Brian Bergin · ‎06-04-2012

No problem in the short term, just reporting what I've seen at multiple locations recently. One thought, is there any reason why you couldn't send HTTPS traffic over port 80 as an alternate port to send the tunnel traffic over? If you use 443 for the portal, I'm betting 99.999% of these types of locations don't block port 80.

Michael Holloway · ‎06-04-2012

Interesting, I had to go research that. RFC2817 (http://www.ietf.org/rfc/rfc2817.txt) describes a method of serving both HTTP and HTTPS on the same port using the HTTP/1.1 'upgrade' mechanism, but it isn't used in practice and brings some fairly major challenges with it, such as making it difficult for the client (browser) to determine if the traffic is supposed to be secure, or insecure.

-mike

Michael Holloway · ‎06-04-2012

Thinking about this a bit more. I was wondering, what if we used an alternate service port not in use by the portal that is likely unblocked on many networks, such as POP3 (TCP port 110). The problem with using 'priviledged' ports in this way is that networks that have content-aware firewalls might start blocking traffic when they see something in the traffic that they don't recognise. Moving connection tunnels to these ports could potentially cause problems for more people than just networks that block connections to non-priviledged ports.

TCP 443 might work in most cases, as firewalls are usually forced to ignore the packet contents as they are typically encrypted anyway. As we look at scaling our tunnelling system to support more connections (another frequent OnPlus user request) and possibly make this kind of change, we'll have to do some extensive testing around the many types of content-aware firewalls to see how they react.

Trying to think of non-priviledged TCP ports (1024+) that might be more likely to be open on public networks for encrypted traffic. there are some networks that *do* black-list things like typical instant messenger or VoIP ports, but allow connections through on all other ports. I think we originally chose the range in use today out of consideration for this issue.

-mike

Brian Bergin · ‎06-04-2012

Content-aware firewalls can't inspect the traffic inside an encrypted tunnel, right? If so, could you use an alt SSL/TLS POP3/SMTP port like some services like Gmail or Microsoft Exchange Online use, say 587 or 465 or 995?

Michael Holloway · ‎06-04-2012

That's a great point. TCP 995 might be a good candidate for us to test with. We're having an internal discussion about alternate/fallback ports now for other processes (such as heartbeat, firmware downloads), the developers see all forum discussions, so I suspect they are already talking about this

-mike

Brian Bergin · ‎09-05-2012

Michael,

Any movement on this issue? 11305 seems to be a major roadblock in many locations. Without a fix OnPlus has become all but usless for me in many current environments I find myself in. I can't believe I'm the only one.

Brian