|
General Discussion General discussion about SageTV and related companies, products, and technologies. |
|
Thread Tools | Search this Thread | Display Modes |
#1
|
|||
|
|||
Getting around the "appearance" of port forwarding?
Hey Guys!
Title is a little weird but basically what I'm trying to do but have been unable to figure it out Here's the deal... I work at a large company and they recently did some big changes to their proxy stuff and what they allow us to see external to the company network. Like right now I'm typing this while on break and I have no problem getting to this webpage to type this post. However, anything with "gun" anywhere in the title you can forget about it. That's fine but what else they did with their big update, is I'm now prevented from accessing anything on my home network. I used to be able to use PlaceShifter. I used to be able to log in and see my DVR and cameras. I used to be able to log into the Sage mobile menu and not watch my recordings but set some as watched, etc. Now, I can do NONE of that. The DDNS that I used for my security camera DVR no longer works and typing in the actual IP address with the port (like xxx.xxx.xxx.xxx:125) no longer works either. What I'm thinking is happening is they are blocking anything that has a colon and port. I have a couple parked domains and have even tried using one of those and an htaccess 301 redirect when I type in my domain name to redirect to my sage server. Well, the redirect works but then fails when the address bar changes to the ip and port. I even tried a htaccess thing that was supposed to keep the original url you typed even after it fowarded (think it would keep the www.mysite.com) but it didn't work either. Do any of you guys know if it is possible to access my sage server externally without it appearing like I'm accessing a port (using a colon in the web address)? Can there be something done in my router I wonder if I use one of my parked domains? (D-Link DIR-655) I could probably do it if I setup a web server at my home but would prefer not to do that. I know how to setup port forwarding and stuff like that but am no expert and this one has me stumped Thanks! |
#2
|
|||
|
|||
My guess is that they've heavily locked down the outbound ports on their firewall (in addition to some basic content filtering). Presumably they've kept outbound 80 and 443 open for HTTP and HTTPS, respectively, but that's probably about it.
In that case, your options would be pretty limited. If your ISP doesn't block inbound port 80 and 443 (many do), you could move a couple services to those ports (you may need to run HTTPS on port 443, depending on what kind of network monitoring your workplace is doing). I'm guessing installing software at work isn't an option. If they're locking down outbound network access they probably don't want you installing software. |
#3
|
|||
|
|||
Thanks for the reply! Oh yeah, it's heavily locked down now and you are correct, no software installation is allowed.
Way back in the day I did run a web server out of my house. I do keep a few computers on 24/7 right now (yeah, I know... eating electricity) so installing web server software on a computer is an option even though I'd prefer to not do that but, really, what's the harm I guess? I seem to recall I had like 5 web pages I hosted and depending on the url address typed in depended on which folder was accessed for the index.htm web page. So do you think it would work to direct port 80 to one of my computers that is on 24/7 then from that computer/now web server, direct it to my Sage server with the port??? When I hosted the 5 web pages before, they were all located on the computer that port 80 was directed to and based on the web address that was typed in determined what folder was used to show the index page. Where this would be different is rather than just have the traffic go to a folder on that computer, could I redirect it again to another computer IP address with the port number? Hmm??? Ideally I would like to have one of my parked domains go to my Sage server and another go to my camera DVR. Thanks! |
#4
|
||||
|
||||
If I could be the wet blanket for a minute, it's quite likely that attempting to circumvent the firewall will be some violation of corporate policy and could land you in hot water. They put those rules in place for a reason, and activity trying to work around them will likely appear suspicious/nefarious to your security folks.
|
#5
|
|||
|
|||
Quote:
__________________
Channels DVR UBUNTU Server 2 Primes 3 Connects TVE SageTV Docker with input from Channels DVR XMLTV and M3U VIA Opendct. |
#6
|
||||
|
||||
I'd like to echo what the other guys have said. It's not worth your job. Just turn off wifi on your phone when you want to do those sorts of things and just use your phone's data plan then get back on wifi when you're done.
__________________
Intel Core i5-2500, 16GB RAM, OMV Linux 4.17, 3 TB of Data SageTV 9 Docker, Open DCT Docker Silicondust HDHomeRun Duo + Quatro Sage Mini Client on Amazon Fire Sticks and Android TVs |
#7
|
||||
|
||||
I will throw out there, that if you just want to access the webserver, you should be able to enable SSL and use the regular https port 443, and if they're not whitelisting IPs/domains (which it sort of sounds like they are), that should just work.
|
#8
|
|||
|
|||
My company did something similar a couple of years ago and it is quite annoying on both the port blocking front and the content filtering as it can block you from getting at sites that you need for your job occasionally.
There can be a couple of options to get around this - one that was already mentioned. By the way, I am guessing that you have always been hosting a web server as the SageTV web ui is essentially a web server running through Jetty. It normally uses port 8080 and my company does allow port 8080 through as well. If you know the IT guys at your company you might want to ask which ports are allowed. Does your company have a guest Wifi network that isn't connected to your LAN? If so then you could connect a laptop, tablet or phone to that and try Placeshifter as it is likely not locked down to the same extent as the corporate LAN. Another thing that you could try, but which is a bit more work, is to install a proxy server at home and use this to access content but it likely will be blocked as well and it may not work for stuff like streaming video. I tried this but it was blocked by my company. Essentially this would use your home network to reroute everything to go through port 80 and a web browser. And then there is the option, already mentioned, of just using the LTE network for stuff like Sage. But that can chew up large amounts of data if you do it very often. On a related note, although this is unlikely to help your specific problem, I find it useful to have OpenVPN running on my router so that I can consummate a VPN connection to my LAN. This can help to troubleshoot SageTV issues when not at home, as you don't need to do port forwarding. And it also lets you access other things on your LAN that may not normally be accessible over the internet.
__________________
New Server - Sage9 on unRAID 2xHD-PVR, HDHR for OTA Old Server - Sage7 on Win7Pro-i660CPU with 4.6TB, HD-PVR, HDHR OTA, HVR-1850 OTA Clients - 2xHD-300, 8xHD-200 Extenders, Client+2xPlaceshifter and a WHS which acts as a backup Sage server |
#9
|
|||
|
|||
What you're talking about doing is a reverse proxy, so that everything either goes over port 80 or 443 and is then routed internally to the appropriate server/port.
This is how I've got things setup for Sage, security cameras etc. so in my browser I just put sage.mydomain.com and the reverse proxy routes that to my Sage server or I put in security.mydomain.com and it goes to BlueIris that I use for the IP cams. I use IIS for the reverse proxy as I already had it setup to run a couple of websites anyway, this runs in a VM, Sage itself runs on the host. I've also setup SSL certs using LetsEncrypt so everything runs over HTTPS. I've never run Placeshifter this way, so I don't know if it would work but I don't see why it wouldn't. As long as you're running everything over port 80 or 443 I don't see how that would be in breach of company policy.
__________________
Server: Win7 64bit; i5 2500; 32GB ram; Blackgold BGT3595; 18TB + 120GB SSD; Edgestore DAS401T; DVBLink; Oscam; Omnikey 3121 Lounge Client: HD300; Yamaha RX-V765 connected to 55" Furrion 1080p LCD; Logitech Harmony One remote Kitchen: HD300 32" LCD, Bed 1: HD300 - 40" LCD, Bed 2: HD300 - 24" LCD, Bed 3: HD300 - 22" LCD |
#10
|
|||
|
|||
That seems like an overstatement... If you have a fairly allowing personal-use policy at work, you're probably safe accessing personal web sites. But, I wouldn't necessarily extend that to other services.
|
#11
|
|||
|
|||
Quote:
Of course, if you're working for a company that is hell bent on restricting everything, imo, that company isn't worth working for, but then that's probably why I work for myself!
__________________
Server: Win7 64bit; i5 2500; 32GB ram; Blackgold BGT3595; 18TB + 120GB SSD; Edgestore DAS401T; DVBLink; Oscam; Omnikey 3121 Lounge Client: HD300; Yamaha RX-V765 connected to 55" Furrion 1080p LCD; Logitech Harmony One remote Kitchen: HD300 32" LCD, Bed 1: HD300 - 40" LCD, Bed 2: HD300 - 24" LCD, Bed 3: HD300 - 22" LCD |
#12
|
|||
|
|||
Sure. If you stick to HTTP and HTTPS sites, you should be fine. But if they're going to the trouble of blocking other protocols, I wouldn't try to bypass that by routing the Placeshifter over port 80 or 443. An IDS would likely flag that.
Last edited by reggie14; 02-04-2016 at 11:38 AM. |
#13
|
||||
|
||||
Yeah, I've seen running SSH (port 22) over telnet (port 23) flagged.
|
#14
|
|||
|
|||
Just guessing here but since you work for a large company they probably don't actually open up ports 80 or 443 or anything that we typically do with our home equipment.
Most large companies setup an "air gap" between their networking equipment and then force all internal connections to go through a single server that then accesses the internet. This single server (or network appliance) can be accessed through either a proxy or NAT configuration (I'm guessing probably NAT in your case). The reason why they do this is because that single server becomes the content filter, logger on employee traffic, and the "man in the middle" to break SSL encryption. I would be surprised if this server didn't do deep packet inspection and prevents things like VPNs even if you are going over port 80/443. By the way, if you want to know if your company does deep packet inspection on encrypted connections then check if your phone/laptop have a custom root certificate from your company installed on it; this usually indicates "man in the middle' attacks. I've worked for companies before that have done stuff like this and, in my humble opinion, it is indicative of a bad company. Work shouldn't feel like jail and the company should treat their employees like adults. I would not recommend using company assets (internet, computers, company phones, printers, etc.) for ANYTHING other than work. If you must access sites and such on personal time then use your phone or bring a laptop and tether your phone to it. I know that sounds extreme, but unless you work in a secure industry, like for a defense contractor, there aren't many good reasons for companies to setup restrictive systems like this. So this setup probably indicates that your company has a rambunctious IT department and a non-tech savvy management. If IT catches you getting around their systems they will scare management into terminating you; it's just not worth the risk.
__________________
Will OS: Windows 7 Hardware: Intel Core i7-920 with 12GB RAM & an Adaptec 5805 with a Chenbro 36-port SAS Expander Case: Antec 1200 with 4 iStarUSA trayless hot-swap cages (20 drives max) Drives: 8 Toshiba/Hitachi 2TB drives in a RAID 6 & 7 Toshiba 3TB drives in a RAID 6 Capture Cards: HDHomeRun Connect Quatro 4, Hauppauge 60 HD-PVR Players: 5 HD300s, 2 HD200s |
#15
|
|||
|
|||
Do you mean a personal phone/laptop or a company issued phone/laptop?
__________________
New Server - Sage9 on unRAID 2xHD-PVR, HDHR for OTA Old Server - Sage7 on Win7Pro-i660CPU with 4.6TB, HD-PVR, HDHR OTA, HVR-1850 OTA Clients - 2xHD-300, 8xHD-200 Extenders, Client+2xPlaceshifter and a WHS which acts as a backup Sage server |
#16
|
|||
|
|||
I somehow doubt they're running a TLS MitM proxy. The easiest way to check, though, isn't to inspect the trust store. Just go to a couple HTTPS-protected websites and inspect the certificate from the browser. The certs used by a MitM proxy should immediately look suspicious. For one, they probably are signed by a root CA. Two, the CA name will probably look extra weird.
|
#17
|
|||
|
|||
Thanks for all the replies and concerns, guys!
I'll go through the technical stuff here in a bit. I do appreciate the heads up and concern on what the company might think. They do take seriously people attempting to bypass sites that are blocked and monitor all internet activity (probably this too!). However, this I don't view the same as trying to bypass their blocks to say, access an adult site. That is specifically blocked content. Whereas my personal computer isn't specifically blocked because they are trying to specifically block me from getting to that specific IP address. Also, I'm sure that many sites that aren't blocked and acceptable do the same thing that I'd like to do in that once you access a certain IP address it directs you to a different computer on that IP address. Oh, another reason why I view what I'd like to do as not being an issue for my company is that when we try to access a site that is specifically blocked, we get a web page that shows that it has been blocked by the company proxy server and the reason why it was blocked. When I try to access my home IP address I don't get that specific message... I just get a Chrome error message that the connection timed out or something like that. If I were to get the web page with the specific reason why my home network that I was trying to access was being blocked then, yes, I think that would be a different story! Doing this is definitely not worth my job! Using the internet for personal use during periods when we aren't doing a specific job is perfectly acceptable and allowed by company policy. There is nothing in the company internet usage policy that disallows accessing DVRs or personal security systems or home networks or anything like that. I believe it is HOW I am trying to access it that doesn't work due to some "global" setting so I'm just wondering how to access it using a method that is allowed. |
#18
|
||||
|
||||
Quote:
|
#19
|
|||
|
|||
Quote:
The iOS software would also install a custom profile that would install company root certificates so they could perform SSL inspection of traffic or man-in-the-middle attacks. IT logged every website, how much time you spent on the internet, everything you ever printed, and performed deep packet analysis looking for things like financial data or SSN numbers. For example, if I uploaded an excel spreadsheet outside the network with SSN numbers, in theory at least, the deep packet analysis technology should have prevented the upload and alerted the security department. I'm not sure how well the deep packet analysis technology worked but the company invested a lot of money in it so I wouldn't be surprised if it worked really well. Five or ten years ago, I would probably agree, but not today. The technology has become available even with small business routers. A $650 small business router (ZyXEL USG 100) performs SSL inspection (MitM).
__________________
Will OS: Windows 7 Hardware: Intel Core i7-920 with 12GB RAM & an Adaptec 5805 with a Chenbro 36-port SAS Expander Case: Antec 1200 with 4 iStarUSA trayless hot-swap cages (20 drives max) Drives: 8 Toshiba/Hitachi 2TB drives in a RAID 6 & 7 Toshiba 3TB drives in a RAID 6 Capture Cards: HDHomeRun Connect Quatro 4, Hauppauge 60 HD-PVR Players: 5 HD300s, 2 HD200s |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Hardware for "Similar" HD300 Performance and Appearance | giacinto41 | Hardware Support | 50 | 09-14-2011 11:10 AM |
What port has to be opened for "discovery" | Peggysis | SageTV Software | 1 | 02-18-2011 05:28 AM |
"Failed setting infrared transmitter port" Hauppague 45 btn MCE Rollup | nekogaijin | Hardware Support | 7 | 10-26-2006 10:54 PM |
Looking for a no-hassle SageTV "serial" cable (PC USB--> DirecTV Low Speed data port) | mkanet | Hardware Support | 11 | 06-16-2006 09:29 AM |
Minor "com port" bug in Sage Setup | mike1961 | SageTV Software | 0 | 03-20-2006 11:57 PM |