Replies: 4 comments 8 replies
-
Correct, when you use
Also correct - this is by design. App access does not support direct dial and must dial via proxy. If you want to run a TCP app and SSH server on the same host, and you don't want the SSH server to tunnel, then you'd need to run two separate teleport processes on said host. |
Beta Was this translation helpful? Give feedback.
-
Thx for your answer
True, but this means that if I let teleport agent reach the proxy i need to open anyway the 443 port of proxy to the server, and so let this server reach potentially every other server connected to teleport.
One question: Assume hat I let server A dial with auth_server instead of proxy_server to the teleport server and so let ssh connection directly connectable via 3022 port on server a. If teleport proxy is exposed externally on the internet with port 443 and some external client (web/tsh/connect whatever) try to connect on serverA once logged on the proxy: does this means that server A is not reachable because there isn't a tunnel between teleport proxy and teleport agent ? or anyway the proxy route internally the connection to serverA ? This point is not clear. Thx again |
Beta Was this translation helpful? Give feedback.
-
One more question: is is possible to have 2 proxy: one on dmz (public exposed) and one internal ? Thx |
Beta Was this translation helpful? Give feedback.
-
Does it means that agent would discover automatically (with oss edition) the proxies and establish the reverse tunnel automatically on each proxy on port 3024 ? |
Beta Was this translation helpful? Give feedback.
-
HI
From what i've understand tls routing mode let teleport agent installed on lets say ServerA or ServerB and located in various subnet to initiated the connection to the port 443 of teleport server (proxy).
This let me think about some concerns regarding security when network segmentation is required and enforced.
For example, suppose we have serverA located on 192.168.0.0/24 and serverB located on 192.168.1.0/24.
subnet 192.168.0.0/24 and subnet 192.168.1.0/24 are both firewalled and can't talk each other ( so server A can't ssh to server B and viceversa)
By installing teleport agent on both server A and server B and let they reach the teleport proxy i would create a "virtual" hole in the network security because i could ssh via tsh from server a versus server b by using teleport server as proxy.
I know there is mfa/login etc etc (and even rbac) BUT this defeat the first goal of network segmentation: separate exposed public facing network (dmz) from internal network.
So Is there a way to:
EDIT:
After some research i've notice that the issue is mainly related to proxy mode, in which the teleport agent on serverA or serverB is started with:
proxy_server: xxx.yyy.zzz.www:443
So at least for ssh the issue could be mitigated by configuring teleport ssh agents on the dmz subnet with:
auth_server: xxx.yyy.zzz.www:3025
In this way by firewalling port 443 and open only 3025 the teleport tsh clients residing on the teleport agents (lets say server A and server B) can't be able to reach teleport proxy on 443 port.
So when started tsh ssh root@serverA from a clientB node the connnection flow is from clientB to serverA:3022.
I think this is by design but i've notice a caveat: if we would like to use on serverA for example a TCP App this would not possible without setting proxy_server on the teleport config on the serverA agent.
So if the issue could be mitigated for ssh this is not true for other general services, not mentioning the fact that deployment on new server in firewalled subnet will be impossible to be performed via the web ui because the 443 port is firewalled and then the installation script could not be executed on the endpoint where the teleport agent want to be installed.
Thx
Beta Was this translation helpful? Give feedback.
All reactions