I have configured a thinlinc server in our company dmz network and through this server I am trying to connect to a remote linux server (it is a Red Hat 9 virtual machine).
When from my client (mac os with thinlinc client) I configure the session i put:
as server i indicate my thinlinc server in dmz
as username i indicate a user and a pwd that has grant to login in remote linux server
With this username and pwd I can login on remote server using thinlinc webaccess on port 300 without issues.
But if I try to use the client I obtain this error:
impossible to configure secure tunnel to agent (ssh terminated)
From the client I see that:
client shows that it connects successfully through ssh to thinlinc serverin dmz
then client shows that it is trying to connect to remote vsm agent of my remote linux host
After that I obtain the ssh tunnel error.
If I understand it correctly I have to:
open only port 22 to my thinlinc server in dmz
my endpoint must not have a direct connection to remote linux host (behind thinlinc server) because all the traffic is tunneled through ssh
I have also open firewall connection between thinlinc server and remote linux host.
So why I obtain ssh error if my endpoint can reach thinlinc server on port 22 without problems?
then client shows that it is trying to connect to remote vsm agent of my remote linux host
…
my endpoint must not have a direct connection to remote linux host (behind thinlinc server) because all the traffic is tunneled through ssh
The ThinLinc client login is a two step process:
It will first authenticate to ssh to your ThinLinc server, the address you input in the client dialog.
It will then disconnect and reconnect to the vsmagent, which can be the same server or an entirely different server.
In your case, It sounds like you only have one server, which means that vsmagent is running on the same host as the vsmserver, but the client fails in the second process.
ThinLinc client will attempt to make an ssh connection to what is set as ‘agent_hostname’ in /opt/thinlinc/etc/conf.d/vsmagent.hconf. If nothing is specified, it will take the first primary ipaddress of the server and try to make a connection to that.
I forgot to add this to my reply, but try setting agent_hostname to the external facing hostname of your ThinLinc server - The one you specifiy in the ThinLinc client, and then issue a systemctl restart vsmagent
I have seen the documentation but I can say that ports requirements are not very clear.
Maybe it would be nice to have a sort of network diagram of various components and involved ports.
If the port 22 must be opened for both vsm server and vsm agents which is the purpose of the vsm servers in that case? I am thinking that vsm server acts as a sort of reverse proxy to secure external connections.
Because if i have severals vsm agents i would need a different external ports (on wan side) for every vsm agent, or maybe different external ips.
If the port 22 must be opened for both vsm server and vsm agents which is the purpose of the vsm servers in that case? I am thinking that vsm server acts as a sort of reverse proxy to secure external connections.
vsmserver enables a system administrator to run multiple ThinLinc agents in a cluster, and in that case, acts as a source of truth of which agent has which session.
Because if i have severals vsm agents i would need a different external ports (on wan side) for every vsm agent, or maybe different external ips.
You would need different public ipaddress on your firewall, and forward port 22 on each IP to a corresponding local IP port 22, on your inside zone.
In cases where this is not possible (i.e you only have one public facing IP), there is a HOST_ALIASES client setting, used together with an SSH tunnel from the client to the inside LAN can work around this.
so vsm server it is used to assign user grants on cluster, management of session, etc.
vdm agents are instead the hosts on which I would connect.
ok perfect, so with host_aliases I can use the same ip address (on public side) with differents ports to reach out the internal vsm agent? perfect, I will try this.
so vsm server it is used to assign user grants on cluster, management of session, etc.
Yes.
vdm agents are instead the hosts on which I would connect.
The server(s) running vsmagent is where the actual session will be started and kept, i.e. your desktop environment.
ok perfect, so with host_aliases I can use the same ip address (on public side) with differents ports to reach out the internal vsm agent? perfect, I will try this.
