-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Meshcentral Agent Proxy Activation Feature to reach agentless Clients on the Agents local LAN #3867
Comments
I think I will work on this next. My plan would be to use the existing "local device group" code, but select a device you want to relay thru. So, you would need to create a new "Relayed Device Group", select a relay device and you can start adding devices to the relayed group. The SSH/SCP/RDP support would be exactly the same as what is supported now with the "local device group", but it would be relayed. Let me know if that would work. I don't want to mix devices with agents and agent-less devices in the same device group, it would be difficult to deal with user permissions, etc. |
Very nice Ylianst, that would be the way I guess. Thank you! |
This is fantastic, we sometimes need to access firewalls, printers, DVRs, Synology and other devices via their web interface via HTTP / HTTPS This will be a dream!! |
I have been playing around with it and it's powerful. "Local device groups" would work on LAN/Hybrid mode, but this works in Hybrid/WAN mode which is going to be a lot more common. I can just click "Connect" on the terminal and SSH into my home router instantly, no agent required on the router. Almost too powerful. |
🥇 This is so nice, can't wait to play around with it 👍 |
Should be out later today. |
I was testing the version 1.0.8 and the relay is working very nice over MeshCentral-Router with the local tools like RDP Client, Putty and WinSCP all tested positively, like a charm. 👍 Following tings were behaving strange:
Following would be nice to improve and add:
As a conclusion keep as much as possible inside the browser, without external tools like MeshCentral Router, RDP, SSH, or SCP clients, so that credentials and access can be given to users without showing there contents. Thank you very much for this feature Ylianst you are The Best! 💯 |
Wow, good list. Working thru it now. For strange behaviors:
Improvements.
|
I am making improvements that will be in v1.0.11. My "Relay for" screenshots are not released yet. Maybe your WAN and LAN servers are different? If so, check that your WAN server has the following lines in the domain section of the config.json:
Also, you need NodeJS v11 or higher for the "SSH" feature to work. Also, add this to the domain section of the config.json:
That adds more links. You can add custom links this way. |
With that settings and update to node16 LTS the Web-RDP and Web-SSH appear now, but when entereing credentials it gets black for a second, does not connect and brings me back to the Web-RDP, to enter the Credentials again. Normal RDP Client via MeshCentral Router has no problems. Following Server Error log is appearing:
|
Just read through the thread, this is extremely awesome to see. I think this is pretty related to an old feature request of mine, #2615. The only difference is, here you have the "relay device" assigned to a device group, with the relayed devices under that device group. This is awesome and especially great for getting access to a large number of relayed devices from one place. For us, it would be really convenient if we could also put relayed devices in an existing device group (since we manage user permissions using groups assigned to regions). Would it be possible to add that functionality as well? Similar to choosing "Relayed Through Agent" as the group type when adding a new device group, it would be awesome to be able to choose "Relayed Through Agent" as the operating system type when adding a new agent. The you'd just feed it the relay device and local network IP and off you go! Seems like most of the work is already done to allow this. 😉
EDIT: Probably should have tried it out before writing all that. Just gave it a go and MeshRouter links work great! I noticed you have to choose a protocol type when adding a device though, why is that? The devices I just tested don't have RDP or SSH, only HTTP, so it's a bit odd to have to have the RDP link there. Anyways, this is amazing, it's going to save us so much time and training. You're a legend! |
@prononext - For Web-RDP, I make use of node-rdpjs-2 which does not support "NLA Authentication security layer". It's on their roadmap but they never built it. So, you have to go on the remote Windows machine and enable legacy authentication for RDP. This is unfortunate, I may have to work on adding support for it myself. |
@MatinatorX Arg. There are 3 devices types the server deals with (Device with Agent, AMT only and Agent-less). Because device groups set policies on these devices, a device group can only handle one device type. So, a device group is hard set to only contain one device type and you can't move a device to a device group of a different type. I am not likely to change this since I need to make it clear what policies are applied to each device. However I am open to create device security groups in the future when you would add a device to one or more device security group and set permissions for that. It would be a bunch of work. For "I noticed you have to choose a protocol type when adding a device though" - Are you talking about selecting "Windows", "Linux" or "MacOS"? This will set what protocols the device supports, I am open to improving that. |
@Ylianst Ah, that makes sense. Well, the way it works now is still super useful for us, it will just be a bit more effort managing permissions across multiple device groups that most users will need access to. I was thinking a way to skirt around that would be a feature request to allow a device or device group to inherit its permissions from another device or group, but with what you just explained I imagine this would only be possible with devices and device groups of the same type, so not a solution.
Yep, in my case most of the relay devices I want to add don't support any of the associated protocols that get added when you choose an OS. Things like BACnet devices and MSTP routers running on microcontrollers - you get an HTTP configuration interface (HTTPS if you're lucky) and that's it. The way you have it now, choosing an OS is required to add the device, and then the associated protocols are mapped to router links automatically, whether I need them or not. It's not a huge issue, but it would be nice if there was an option to set the type to "Custom" or "None" which wouldn't create any router links automatically. |
Lets support to get NLA finally implemented: citronneur/node-rdpjs#52 Going with legacy mode is really a security risk... |
The author or the original node-rdpjs went on to write a Rust implementation (rdp-rs) because:
I know you can't run Rust in a browser unless you cross compiles to WASM or maybe something else. Searching for WebAssembly RDP leads to myrtille. I didn't dig deep and there may be others. I bring this up because using WebAssembly in the browser may improve performance and provide other benefits like NLA. I'm a MeshCentral user and have a vested interest in seeing it improve. Thank you for an awesome project! |
@prononext I will give NLA implentation a try tomorrow. My understanding it that it's more-or-less RDP within TLS, but there is some data that to cause the switch into TLS. If this is correct, I should be able to do it. I do agree that legacy RDP is a security risk. @MatinatorX I am totally willing to improve the protocol selection for local devices. At some point, I should put some time on it. Local devices are going to be getting more use now that you can relay them thru agents. |
@Ylianst Awesome, just an option to add a relayed local device without any protocols would be really helpful. I was thinking a bit more about how to show relayed local devices together with their parent relay device without having them share a device group. Could be an option to move them from the My Devices page to a tab under the parent relay device instead, like a mini My Devices page just for the relayed local devices. This would keep the main My Devices page from getting too bloated, which is becoming issue for servers with lots of devices. It would also make it easier to find all relayed local devices under a specific parent relay device. Let me know what you think and if this should go in a separate feature request. |
@MatinatorX Interesting request. Basically, I would hide the relayed local device group and just display them in a sub-area of the device acting as a relay. It would be some work because when a sub-device changes it's state, I have to also send the message to the relay device so the web page stays current. I currently support changing what device acts as a relay for a device group, that would also need to be adjusted. UPDATE: I am currently deep into trying to port RDP NLA support from RDP-RS to NODE-RDP-JS2. It's complex with a lot of crypto and packet decoding/encoding work, it does not help that I have never read a line of Rust core before. I am going to have to send a HUGE thank you to @citronneur for writing that code. The Rust version has test cases in the code I used to check that my code was correct. It's going to take a while longer, I think I am 50% of the way there. If this works, I am thinking I may work on adding RDP support rights into the "Desktop" tab. Seems like that would be super nice. |
@Ylianst That's exactly what I had in mind. For us, it's not important at all the be able to change the relay device. I'm going to stick this in a new feature request and close my old one. |
Just published MeshCentral v1.0.13. The built-in RDP web client now has NLA support, so you can RDP to computers from the web site without needing to enable "Legacy Authentication" on the remote device. In addition to this, the RDP client is now enabled by default, so you don't need "mstsc": true inthe domain section of the config.json to enable it anymore. However, you can disable it with "mstsc": false. Let me know if it works. |
There are always cases where MeshCentral Agent cannot be installed on machines for various reasons, but inside that machines local network you might already have a agent running somewhere.
In that case this agent could be used as a Proxy to reach other agentless machines inside its local network via SSH, SCP, VNC, RDP, HTTP etc.
Many monitoring solutions use this functionality for monitoring the local network with just one agent installed (for example Zabbix Monitoring via Proxy).
My Idea is that inside a group (no matter if the Server is WANonly, LANonly or Hybrid) you click on "Add Agent" (better change that to Machine or Client) and have following functionality:
When this agent is added you will have the same functionality as you would have on local managed agentless devices (when in LAN and Hybrid mode) with the difference that the connection will be made through the selected proxy, which is forwarding and managing the request through updated agent code.
Under this added machine in the General Tab there will be a info that the device is connected to a specific proxy agent, which can be selected to go to that agents proxy settings page.
On the agent which is serving as proxy there is a new "Proxy" tab which is listing the devices info and ports which it serves as a proxy for.
In the Device list the Proxy Agent will be marked as "Proxy" and the machine which is reached though that proxy is also marked that it connects "via Proxy"
Let me know what you think about that idea and the possibility to realize it?
The text was updated successfully, but these errors were encountered: