Wiki source code of TCMS - Thin Client Access Gateway (VPN)

Last modified by Adrian Hömann on 2024/03/07 16:56

version	line-number	content
33.1	1	The Rangee Thin Client Management Server (TCMS) can be used as a gateway to connect externally operated Rangee Thin Clients to your network. This HowTo describes the necessary configuration steps.
4.1	2
33.1	3	{{info title="Last tested with the following versions"}}
	4	Firmware and Software:
4.1	5
20.1	6	RangeeOS
4.1	7
20.1	8	* firmware x64 - 11.00 Build 358
4.1	9
20.1	10	TCMS
4.1	11
20.1	12	* firmware x64 - 11.00 Build 358
21.1	13	* TCMS 1.8 x64 11.00 Build 033
20.1	14	{{/info}}
4.1	15
20.1	16	{{toc/}}
4.1	17
33.1	18	= Prerequisites =
4.1	19
33.1	20	To utilize the TCMS VPN functionality, the following prerequisites must be met:
4.1	21
33.1	22	1. The Thin Client with RangeeOS must have the "tcmsclient-vpn" license. If you don't have a license for the module yet, you can purchase one through our [[sales department >>mailto:sales@rangee.com]] or via our [[contact form >>https://rangee.com/en/contact/#contactform]] or request a [[30-day demo license >>https://rangee.com/en/contact/]].
	23	1. The TCMS must be reachable via a fixed IP or hostname.
	24	1. The TCMS must be reachable by both the chosen registration port and the chosen VPN port for the clients.
	25	1. The servers that the clients should be reachable through the TCMS must be reachable by the TCMS.
4.1	26
33.1	27	= Configuration =
20.1	28
	29	{{warning}}
33.1	30	The configuration presented here must make the TCMS available from the internet for your clients. In this context, we recommend using the [[TCMS - Signature Verification >>https://kb.rangee.com/HowTos/TCMS%20-%20Signaturpr%C3%BCfung/]] to prevent unauthorized clients from registering with the TCMS.
20.1	31	{{/warning}}
	32
	33	== TCMS ==
	34
33.1	35	=== Configuring an Additional TCMS API Port ===
20.1	36
33.1	37	By configuring an additional TCMS API port, you can define a port through which only Thin Clients can connect to the TCMS, while the web interface is not available. Using the additional API port is highly recommended when making the TCMS available over the internet.
20.1	38
33.1	39	You can configure the additional API port in the TCMS under {{status title="Edit"/}} -> {{status title="Settings"/}} -> {{status title="Base Settings"/}}. Here are the options:
20.1	40
	41	{{warning}}
33.1	42	Changes made to these options require a restart of the TCMS.
20.1	43	{{/warning}}
	44
33.1	45	* Additional API Port - Freely selectable TCP port, in our example 8888.
	46	* Allow Repository Access via Additional API Port (optional) - Allows clients to receive updates from the TCMS repository via this port.
20.1	47
33.1	48	[[TCMS - Base Settings>>image:TCMS-Base-Settings.png]]
20.1	49
33.1	50	=== Configuring the TCMS VPN Connection ===
20.1	51
	52	{{info}}
33.1	53	Networks defined in this section are represented in CIDR form (x.x.x.x/y -> x.x.x.x = IP, y = Subnet). Information on this notation can be found, for example, here:
20.1	54
33.1	55	[[Wikipedia - Classless Inter-Domain Routing>>https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing]]
20.1	56	{{/info}}
	57
33.1	58	You can find the TCMS VPN configuration under (% id="cke_bm_9924S" style="display:none" %) (%%) {{status title="Edit"/}} -> {{status title="Settings"/}} -> {{status title="TCMS VPN Settings"/}} (% id="cke_bm_9924E" style="display:none" %) (%%). Here are the following options:
20.1	59
	60	{{warning}}
33.1	61	Changes made to these options require a restart of the TCMS.
20.1	62	{{/warning}}
	63
33.1	64	* Enable TCMS VPN - Activates the TCMS VPN service.
	65	* VPN Subnet - Defines an internal TCMS-VPN-CLIENT subnet in CIDR form. This network should not overlap with your internal network.
	66	* TCMS VPN Address - Address of the TCMS server within the VPN subnet.
	67	* VPN Port - UDP port over which the VPN connection should be established. Must be made externally available.
	68	* VPN Route Metric - Determines the metric with which the VPN connection is established on the client side.
	69	* Allow VPN NAT routing - When enabled, this option allows VPN-connected clients to access servers defined under Externally accessible targets.
	70	* Externally accessible targets - In this text field, any targets for VPN-connected clients can be made available. The following notations must be used, where only the specification of the server/subnet is mandatory:
	71	#Server/Subnet in CIDR form#:#Port#,#Port2#\|#Protocol1#,#Protocol2#
	72	Examples:
	73	192.168.10.30/32 or 192.168.10.30**
	74	Allows access to all ports on the server with IP 192.168.10.30.
20.1	75	192.168.10.0/24**
33.1	76	Allows access to all machines in subnet 192.168.10.0/24.
20.1	77	192.168.10.30/32:3389**
33.1	78	Allows access to the server with IP 192.168.10.30 only on port 3389.
20.1	79	192.168.10.30/32:443,4712**
33.1	80	Allows access to the server with IP 192.168.10.30 on ports 443 and 4712.
20.1	81	192.168.10.0/24:3389\|tcp**
33.1	82	Allows access to all machines in subnet 192.168.10.0/24 on port 3389 TCP.
	83	192.168.0.0/16:443\|tcp,udp,icmp**
	84	Allows access to all machines in subnet 192.168.0.0/16 on port 443 TCP, UDP, and ICMP (Ping).
20.1	85
33.1	86	[[TCMS VPN Settings>>image:TCMS-VPN-Settings.png]]
20.1	87
33.1	88	=== Specifying VPN Clients ===
20.1	89
33.1	90	The specification of which clients should use the TCMS VPN configuration is done through a group setting.
20.1	91
33.1	92	To do this, select the group in the {{status title="Groups"/}} tab for which you want to enable TCMS-VPN. Then, enable the "Allow TCMS VPN for this group" option in the {{status title="Settings"/}} tab of the group.
20.1	93
33.1	94	[[Activate VPN Connection for Group>>image:Activate-VPN-Connection-Group.png]]
20.1	95
	96	== Thin Client ==
	97
33.1	98	On the Thin Client side, no special configuration is required to use the TCMS VPN connection. The client receives all necessary data for this from its TCMS configuration.
20.1	99
33.1	100	However, ensure that the client establishes its connection to the TCMS via the Additional API Port and the externally resolvable hostname or fixed IP address. You can find the setting in the client's Kommbox under {{status title="Remote Administration"/}} -> {{status title="TCMS Settings"/}}.
20.1	101
33.1	102	[[TCMS Settings on Thin Client Side>>image:TCMS-Settings-on-Thin-Client-Side.png]]
20.1	103
	104	== Firewall ==
	105
33.1	106	On the firewall side, appropriate rules must be defined for the ports you have chosen.
20.1	107
33.1	108	Example configuration for allowing an RDP server:
20.1	109
	110	* TCMS:
	111	** IP in DMZ: 10.10.10.5
33.1	112	** API Port 8888
20.1	113	** VPN Port 4713
	114	* RDP Server:
33.1	115	** IP in Internal Network: 192.168.10.30
20.1	116
33.1	117	For this example configuration, the following rules must be created in your firewall(s):
20.1	118
33.1	119	1. DNAT/Allow from Internet to Port 8888 (TCP) to TCMS (DMZ/10.10.10.5)
	120	2. DNAT/Allow from Internet to Port 4713 (UDP) to TCMS (DMZ/10.10.10.5)
	121	3. DNAT/Allow from TCMS to Port 3389 (TCP/UDP) to RDP Server (Internal/192.168.10.30)
20.1	122
33.1	123	[[image:tcms-vpn.png\|\|alt="Diagram of TCMS VPN Network Configuration"]]

Wiki source code of TCMS - Thin Client Access Gateway (VPN)

Featured

Navigation

Recently Created

Recently Visited

Wiki source code of TCMS - Thin Client Access Gateway (VPN)

Featured

Recently Created

Topics