Wiki source code of TCMS - Thin Client Access Gateway (VPN)
Last modified by Tobias Wintrich on 2024/03/07 15:20
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | The Rangee Thin Client Management Server (TCMS) can be used as a gateway to connect externally operated Rangee Thin Clients to your network. This HowTo describes the necessary configuration steps. | ||
| 2 | |||
| 3 | {{info title="Last tested with the following versions"}} | ||
| 4 | **Firmware and Software:** | ||
| 5 | |||
| 6 | **RangeeOS** | ||
| 7 | |||
| 8 | * firmware x64 - 11.00 Build 358 | ||
| 9 | |||
| 10 | **TCMS** | ||
| 11 | |||
| 12 | * firmware x64 - 11.00 Build 358 | ||
| 13 | * TCMS 1.8 x64 11.00 Build 033 | ||
| 14 | {{/info}} | ||
| 15 | |||
| 16 | {{toc/}} | ||
| 17 | |||
| 18 | = Prerequisites = | ||
| 19 | |||
| 20 | To utilize the TCMS VPN functionality, the following prerequisites must be met: | ||
| 21 | |||
| 22 | 1. The Thin Client with RangeeOS must have the "tcmsclient-vpn" license. If you don't have a license for the module yet, you can purchase one through our [[sales department >>mailto:sales@rangee.com]] or via our [[contact form >>https://rangee.com/en/contact/#contactform]] or request a [[30-day demo license >>https://rangee.com/en/contact/]]. | ||
| 23 | 1. The TCMS must be reachable via a fixed IP or hostname. | ||
| 24 | 1. The TCMS must be reachable by both the chosen registration port and the chosen VPN port for the clients. | ||
| 25 | 1. The servers that the clients should be reachable through the TCMS must be reachable by the TCMS. | ||
| 26 | |||
| 27 | = Configuration = | ||
| 28 | |||
| 29 | {{warning}} | ||
| 30 | The configuration presented here must make the TCMS available from the internet for your clients. In this context, we recommend using the [[TCMS - Signature Verification >>https://kb.rangee.com/HowTos/TCMS%20-%20Signaturpr%C3%BCfung/]] to prevent unauthorized clients from registering with the TCMS. | ||
| 31 | {{/warning}} | ||
| 32 | |||
| 33 | == TCMS == | ||
| 34 | |||
| 35 | === Configuring an Additional TCMS API Port === | ||
| 36 | |||
| 37 | By configuring an additional TCMS API port, you can define a port through which only Thin Clients can connect to the TCMS, while the web interface is not available. Using the additional API port is **highly recommended** when making the TCMS available over the internet. | ||
| 38 | |||
| 39 | You can configure the additional API port in the TCMS under {{status title="Edit"/}} -> {{status title="Settings"/}} -> {{status title="Base Settings"/}}. Here are the options: | ||
| 40 | |||
| 41 | {{warning}} | ||
| 42 | Changes made to these options require a restart of the TCMS. | ||
| 43 | {{/warning}} | ||
| 44 | |||
| 45 | * **Additional API Port** - Freely selectable TCP port, in our example 8888. | ||
| 46 | * **Allow Repository Access via Additional API Port** (optional) - Allows clients to receive updates from the TCMS repository via this port. | ||
| 47 | |||
| 48 | [[TCMS - Base Settings>>image:TCMS-Base-Settings.png]] | ||
| 49 | |||
| 50 | === Configuring the TCMS VPN Connection === | ||
| 51 | |||
| 52 | {{info}} | ||
| 53 | Networks defined in this section are represented in CIDR form (x.x.x.x/y -> x.x.x.x = IP, y = Subnet). Information on this notation can be found, for example, here: | ||
| 54 | |||
| 55 | [[Wikipedia - Classless Inter-Domain Routing>>https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing]] | ||
| 56 | {{/info}} | ||
| 57 | |||
| 58 | You can find the TCMS VPN configuration under (% id="cke_bm_9924S" style="display:none" %) (%%) {{status title="Edit"/}} -> {{status title="Settings"/}} -> {{status title="TCMS VPN Settings"/}} (% id="cke_bm_9924E" style="display:none" %) (%%). Here are the following options: | ||
| 59 | |||
| 60 | {{warning}} | ||
| 61 | Changes made to these options require a restart of the TCMS. | ||
| 62 | {{/warning}} | ||
| 63 | |||
| 64 | * **Enable TCMS VPN** - Activates the TCMS VPN service. | ||
| 65 | * **VPN Subnet** - Defines an internal TCMS-VPN-CLIENT subnet in CIDR form. This network should **not** overlap with your internal network. | ||
| 66 | * **TCMS VPN Address** - Address of the TCMS server within the VPN subnet. | ||
| 67 | * **VPN Port** - UDP port over which the VPN connection should be established. Must be made externally available. | ||
| 68 | * **VPN Route Metric** - Determines the metric with which the VPN connection is established on the client side. | ||
| 69 | * **Allow VPN NAT routing** - When enabled, this option allows VPN-connected clients to access servers defined under **Externally accessible targets**. | ||
| 70 | * **Externally accessible targets** - In this text field, any targets for VPN-connected clients can be made available. The following notations must be used, where only the specification of the server/subnet is mandatory: | ||
| 71 | #Server/Subnet in CIDR form#:#Port#,#Port2#|#Protocol1#,#Protocol2# | ||
| 72 | **Examples**: | ||
| 73 | ** **192.168.10.30/32 **or **192.168.10.30** | ||
| 74 | Allows access to all ports on the server with IP 192.168.10.30. | ||
| 75 | ** **192.168.10.0/24** | ||
| 76 | Allows access to all machines in subnet 192.168.10.0/24. | ||
| 77 | ** **192.168.10.30/32:3389** | ||
| 78 | Allows access to the server with IP 192.168.10.30 only on port 3389. | ||
| 79 | ** **192.168.10.30/32:443,4712** | ||
| 80 | Allows access to the server with IP 192.168.10.30 on ports 443 and 4712. | ||
| 81 | ** **192.168.10.0/24:3389|tcp** | ||
| 82 | Allows access to all machines in subnet 192.168.10.0/24 on port 3389 TCP. | ||
| 83 | ** **192.168.0.0/16:443|tcp,udp,icmp** | ||
| 84 | Allows access to all machines in subnet 192.168.0.0/16 on port 443 TCP, UDP, and ICMP (Ping). | ||
| 85 | |||
| 86 | [[TCMS VPN Settings>>image:TCMS-VPN-Settings.png]] | ||
| 87 | |||
| 88 | === Specifying VPN Clients === | ||
| 89 | |||
| 90 | The specification of which clients should use the TCMS VPN configuration is done through a group setting. | ||
| 91 | |||
| 92 | To do this, select the group in the {{status title="Groups"/}} tab for which you want to enable TCMS-VPN. Then, enable the **"Allow TCMS VPN for this group"** option in the {{status title="Settings"/}} tab of the group. | ||
| 93 | |||
| 94 | [[Activate VPN Connection for Group>>image:Activate-VPN-Connection-Group.png]] | ||
| 95 | |||
| 96 | == Thin Client == | ||
| 97 | |||
| 98 | On the Thin Client side, no special configuration is required to use the TCMS VPN connection. The client receives all necessary data for this from its TCMS configuration. | ||
| 99 | |||
| 100 | However, ensure that the client establishes its connection to the TCMS via the **Additional API Port** and the **externally resolvable hostname or fixed IP address**. You can find the setting in the client's Kommbox under {{status title="Remote Administration"/}} -> {{status title="TCMS Settings"/}}. | ||
| 101 | |||
| 102 | [[TCMS Settings on Thin Client Side>>image:TCMS-Settings-on-Thin-Client-Side.png]] | ||
| 103 | |||
| 104 | == Firewall == | ||
| 105 | |||
| 106 | On the firewall side, appropriate rules must be defined for the ports you have chosen. | ||
| 107 | |||
| 108 | Example configuration for allowing an RDP server: | ||
| 109 | |||
| 110 | * TCMS: | ||
| 111 | ** IP in DMZ: 10.10.10.5 | ||
| 112 | ** API Port 8888 | ||
| 113 | ** VPN Port 4713 | ||
| 114 | * RDP Server: | ||
| 115 | ** IP in Internal Network: 192.168.10.30 | ||
| 116 | |||
| 117 | For this example configuration, the following rules must be created in your firewall(s): | ||
| 118 | |||
| 119 | 1. **DNAT/Allow** from **Internet **to **Port 8888 (TCP)** to **TCMS** (DMZ/10.10.10.5) | ||
| 120 | 2. **DNAT/Allow** from **Internet **to **Port 4713 (UDP)** to **TCMS** (DMZ/10.10.10.5) | ||
| 121 | 3. **DNAT/Allow** from **TCMS **to **Port 3389 (TCP/UDP)** to **RDP Server **(Internal/192.168.10.30) | ||
| 122 | |||
| 123 | [[image:tcms-vpn.png||alt="Diagram of TCMS VPN Network Configuration"]] |