Environment
Novell BorderManager 3.8
Novell BorderManager 3.8 Support Pack 4 Intern Release 5 ( BM38SP4_IR5)
Situation
Access control rules are enable at the BorderManager server to
block access to undesired content.
Using tunneling software running on internal workstations, like http-tunnel, httport, socks2http, etc, users are able to bypass BorderManager access control rules.
Using tunneling software running on internal workstations, like http-tunnel, httport, socks2http, etc, users are able to bypass BorderManager access control rules.
Resolution
This tid is specific to block http-tunnel program. Depending the
type of program, a LAN trace should be taken to learn software
behavior and then block it.
Http-tunnel program has two way to work:
a. If you do not check the box to use CONNECT, is using a simple POST to contact an external server so blocking it will stop to work.
Add a deny rule, url, destination and add :
http://207.226.175.49/*
http://207.226.175.181/*
http://207.226.175.65/*
http://207.226.175.133/*
http://207.226.175.149/*
http://207.226.175.165/*
http://207.226.175.197/*
http://207.226.175.48/*
http://207.226.175.64/*
http://207.226.175.132/*
http://207.226.175.148/*
http://207.226.175.164/*
http://207.226.175.180/*
http://207.226.175.196/*
a trace reveled that it has to contact with this server to bypass proxy. I've blocked then and program not longer work.
b. If you check the box to use " CONNECT", then you have to enable on the proxy.cfg the tunneling control feature:
[Tunneling]
EnableTunnelingControl=1
EnableTunnelingControlLog=1
This will stop the program as it tries to connect to port 1178 using a CONNECT method which will be blocked.
After apply this settings, all CONNECT requests will be blocked, except the ones to port 443, the default SSL port. If you have any software that connects using SSL thru BorderManager using another port, you should also add the following entry to the proxy.cfg:
[HttpTunnelingAllowed]
port1=xxxx
port2=xxxx
Where xxxx is the destination port of your application.
So to fully stop this program, http-tunnel, you need both solutions, the tunneling settings in proxy.cfg and the rule to block this ip addresses.
Http-tunnel program has two way to work:
a. If you do not check the box to use CONNECT, is using a simple POST to contact an external server so blocking it will stop to work.
Add a deny rule, url, destination and add :
http://207.226.175.49/*
http://207.226.175.181/*
http://207.226.175.65/*
http://207.226.175.133/*
http://207.226.175.149/*
http://207.226.175.165/*
http://207.226.175.197/*
http://207.226.175.48/*
http://207.226.175.64/*
http://207.226.175.132/*
http://207.226.175.148/*
http://207.226.175.164/*
http://207.226.175.180/*
http://207.226.175.196/*
a trace reveled that it has to contact with this server to bypass proxy. I've blocked then and program not longer work.
b. If you check the box to use " CONNECT", then you have to enable on the proxy.cfg the tunneling control feature:
[Tunneling]
EnableTunnelingControl=1
EnableTunnelingControlLog=1
This will stop the program as it tries to connect to port 1178 using a CONNECT method which will be blocked.
After apply this settings, all CONNECT requests will be blocked, except the ones to port 443, the default SSL port. If you have any software that connects using SSL thru BorderManager using another port, you should also add the following entry to the proxy.cfg:
[HttpTunnelingAllowed]
port1=xxxx
port2=xxxx
Where xxxx is the destination port of your application.
So to fully stop this program, http-tunnel, you need both solutions, the tunneling settings in proxy.cfg and the rule to block this ip addresses.
Additional Information
To block another tunneling program called sock2http, please refer
to tid10078519:
https://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=10078519&sliceId=&dialogID=14967780&stateId=0%200%2014969447
https://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=10078519&sliceId=&dialogID=14967780&stateId=0%200%2014969447