You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@vcl.apache.org by L Chirongo <lu...@gmail.com> on 2020/12/05 08:18:35 UTC

Accessing VCL from internet

Hi Josh,

I'm requesting for advice on how I can have users accessing VCL from
outside the campus.

Below is what I have done so far:

- My setup has one management node that is using a private 192.168.10.x IP
for web access. This is working well from within campus.

- For outside access, I have set up a reverse proxy and through this I am
able to access the VCL web interface, log in, make a reservation, and
download the RDP file.

- For the RDP ports, I have setup NAT on the same firewall that is doing
reverse proxy so that it forwards the RDP port ranges to the management node

Issues I require advice on are:

- The RDP file is having the management node private IP pre-entered. I
would like to have this filled in by default to the firewall WAN IP

- During testing, even after manually editing the pre-filled IP to the
firewall WAN IP, RDP does not work. However, doing an RDP to a different
standalone server through the same NAT works.

Please advise on what I have missed.

Thanks and regards,
Luckmore Chirongo

Re: Accessing VCL from internet

Posted by Josh Thompson <jo...@ncsu.edu>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Luckmore,

(sending again to include the list)

I'm not 100% sure your setup will work out of the box.  My only concern is 
that vcld will be looking for the public IP of your reverse proxy server when 
configuring NAT rules on the management node.  That said, have you configured 
your management node as a NAT host?  You do this under Manage->"Management 
Nodes" and click Edit for your management node.  Then, select the checkbox 
next to "Use as NAT Host".  Enter the IP of your proxy server as "NAT Public 
IP Address".  Moving on to "NAT Internal IP Address", VCL expects you to have 
2 networks, one that the management node uses to control things, and one over 
which user traffic flows.  I generally refer to the second of those as the 
"NAT network" when in a NAT environement.  Your management node will need an 
IP on this NAT network.  That IP will need to be entered as "NAT Internal IP 
Address".

VCL has code to configure each NAT host to MASQUERADE in the nat tables, but 
since your case is a little different, you'll need to manually configure that 
in your POSTROUTING chain.  As long as vcld sees a MASQUERADE rule in the 
POSTROUTING chain, it will skip the configuration part.

Finally, you'll need to configure each of your VMs to use your management node 
as their NAT host.  You can select all of them and then click "Actions for 
selected computers"->"Change NAT" to change them all at once.

Let us know how that works out.

Josh

On Saturday, December 5, 2020 3:18:35 AM EST you wrote:
> Hi Josh,
> 
> I'm requesting for advice on how I can have users accessing VCL from
> outside the campus.
> 
> Below is what I have done so far:
> 
> - My setup has one management node that is using a private 192.168.10.x IP
> for web access. This is working well from within campus.
> 
> - For outside access, I have set up a reverse proxy and through this I am
> able to access the VCL web interface, log in, make a reservation, and
> download the RDP file.
> 
> - For the RDP ports, I have setup NAT on the same firewall that is doing
> reverse proxy so that it forwards the RDP port ranges to the management node
> 
> Issues I require advice on are:
> 
> - The RDP file is having the management node private IP pre-entered. I
> would like to have this filled in by default to the firewall WAN IP
> 
> - During testing, even after manually editing the pre-filled IP to the
> firewall WAN IP, RDP does not work. However, doing an RDP to a different
> standalone server through the same NAT works.
> 
> Please advise on what I have missed.
> 
> Thanks and regards,
> Luckmore Chirongo
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Virtual Computing Lab (VCL)
North Carolina State University

Josh_Thompson@ncsu.edu
919-515-5323

my GPG/PGP key can be found on pool.sks-keyservers.net

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX8/lHgAKCRBX8tBw1209
A92nAJ4k4bItUrYw2tOUePbLSzWtbvmhbgCfTjOIyfrocdny8suUs7/qevsxW7U=
=57qQ
-----END PGP SIGNATURE-----