Being able to remotely connect to a command line on a server can be extremely useful.
Sophos UTM’s HTML5 VPN Portal allows you to provide this without needing to expose the server directly to the Internet or allowing traditional VPN connections. Essentially the UTM proxies your shell session.
This is great because it can natively support Telnet and SSH, and as long as you are connecting to a SSH capable system, you can easily establish a secure encrypted session.
Let’s have a look at how to offer PowerShell over SSH using the Sophos UTM.
Extending Windows to support SSH
The big problem now is that Microsoft Windows only supports Telnet or PowerShell PSSessions. Telnet could help you out in a pinch, but since the session is unencrypted, this is not really feasible. This leaves a serious gap. How do you establish a secure Shell connection to a Windows Server?
The good news is that Microsoft and the PowerShell team have indicated that they will add SSH support in the future. Until then (or with older systems once the support is added), you can use the following method.
Enabling SSH with Bitvise SSH Server
It is possible to add SSH access to a Windows server. All you need to do is install a SSH server on the Windows machine.
There are a few free SSH Server options for Windows, but the best one I could find is from Bitvise. They have both a free and a commercial license, with a 30 day trial on the commercial version.
The Bitvise SSH Server allows you to use Enterprise features such as using domain accounts, and offers session tracking and logging. It also give you some options when it comes to selecting the shell you want to present.
- Download and Install the Bitvise SSH Server
- Open the easy setting view if not opened by default
- Select the Windows Accounts Tab and click Add
- Windows Account Type : Domain Account
- Specify the login name
- Shell Access type: Select either PowerShell
- Click OK, Save Changes and Start Server
Test Local SSH Access
At this stage you can test connectivity on the local LAN by establishing a SSH session to the Windows Server. This will confirm that the SSH server is functioning, that the Windows Firewall is not causing any issues, and that you’re connecting to the correct shell.
The simplest way to test is to download a copy of the great PuTTY SSH client from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
- Open the PuTTY app
- Add the IP of your Windows SSH server
- Click Open
- Accept the certificate
- Log in
Configure Sophos UTM’s HTML 5 VPN Portal
Now that we have a working SSH server that drops us into a Windows PowerShell session, we can configure the HTML5 VPN portal to serve it. Of course this assumes you have already set up a working User Portal (Sophos UTM Web Admin | Management | UserPortal)
- Browse to Remote Access | HTML5 VPN Portal | + New HTML5 VPN Portal Connection
- Name: Windows PowerShell
- Connection Type: SSH
- Destination : Add or Select your Windows machine running the SSH server
- Username : Specify the user that was allowed on the SSH server configuration
- Click the Fetch Button to retrieve the Public host key
- Specify the Allowed VPN users that has access to the SSH connection
- Click Save
Open a PowerShell Session using the HTML 5 VPN Portal
Now you are ready to try it out from your Internet connected test machine using a HTML 5 capable browser (any modern browser). No need to install PuTTY or any other terminal console tools.
- Connect to the UserPortal
- Log in as the user you granted permission to in the previous step
- Select the HTML5 VPN Portal Tab
- Click Connect on the Powershell App we created earlier
- The connection window should open and prompt for a password
- Enter the password and enjoy your PowerShell session!
This work around enables you to securely grant access to a Windows Server shell until the PowerShell team natively support SSH. The same connection type we used in this article is also a great way to grant access to other Unix / Linux based systems, as well as your network gear, or any other SSH enable device.