search

ferrumgate / secure.client

electronjs based client for zero trust access
https://ferrumgate.com/docs/clients/
Apache License 2.0
11 stars 4 forks source link

After the client connects, it keeps prompting:cheching device wait #41

Closed wokula closed 1 year ago

wokula commented 1 year ago

After the client connects, it keeps prompting:cheching device wait

client logs: [2023-08-09 17:07:26.240] [info] open link https://sslvpn.xxx.com//login?exchange=3160586693344e538928185bcf35be5e2c0039e73acbfb61a1ebfc01e8e6af72edf25fba49faed45db25264563242a9b4d4d8e55954a2806e994fd4c870d9f1426a5add403d578dfd84ea5c1316efb67e2c452df8192c262c77ead662c3d8dfb2a69272e9f06a42168f110eb379b308515ffe6acb6bc8a1f7994c082c9443f0210b36e6c9aa6183be7349bdc99895f8a [2023-08-09 17:07:26.465] [error] Command failed: taskkill.exe /IM "ssh_ferrum.exe" /F ����: û���ҵ����� "ssh_ferrum.exe"��

[2023-08-09 17:07:26.467] [info] executing command at worker [2023-08-09 17:07:26.468] [info] conf response is null [2023-08-09 17:07:28.312] [error] http response status code: 401 [2023-08-09 17:07:30.262] [error] http response status code: 401 [2023-08-09 17:07:32.312] [error] http response status code: 401 [2023-08-09 17:07:34.264] [error] http response status code: 401 [2023-08-09 17:07:36.271] [error] http response status code: 401 [2023-08-09 17:07:38.304] [error] http response status code: 401 [2023-08-09 17:07:40.263] [error] http response status code: 401 [2023-08-09 17:07:42.267] [error] http response status code: 401 [2023-08-09 17:07:44.310] [error] http response status code: 401 [2023-08-09 17:07:46.279] [info] Session created [2023-08-09 17:07:46.471] [info] executing command at worker [2023-08-09 17:07:48.469] [info] getting device posture [2023-08-09 17:07:48.662] [error] unable to verify the first certificate [2023-08-09 17:07:59.245] [info] executing command at worker [2023-08-09 17:07:59.246] [info] sync network status 2023-08-09T09:07:59.244Z [2023-08-09 17:07:59.246] [info] sync network status [] [2023-08-09 17:08:02.244] [info] executing command at worker [2023-08-09 17:08:02.245] [info] sync network status 2023-08-09T09:08:02.243Z [2023-08-09 17:08:02.245] [info] sync network status [] [2023-08-09 17:08:04.485] [info] getting device posture [2023-08-09 17:08:04.514] [error] unable to verify the first certificate [2023-08-09 17:08:05.244] [info] executing command at worker [2023-08-09 17:08:05.245] [info] sync network status 2023-08-09T09:08:05.243Z [2023-08-09 17:08:05.245] [info] sync network status [] [2023-08-09 17:08:08.245] [info] executing command at worker [2023-08-09 17:08:08.245] [info] sync network status 2023-08-09T09:08:08.244Z [2023-08-09 17:08:08.246] [info] sync network status [] [2023-08-09 17:08:11.244] [info] executing command at worker [2023-08-09 17:08:11.245] [info] sync network status 2023-08-09T09:08:11.244Z [2023-08-09 17:08:11.245] [info] sync network status [] [2023-08-09 17:08:14.246] [info] executing command at worker [2023-08-09 17:08:14.247] [info] sync network status 2023-08-09T09:08:14.245Z [2023-08-09 17:08:14.247] [info] sync network status [] [2023-08-09 17:08:17.246] [info] executing command at worker [2023-08-09 17:08:17.247] [info] sync network status 2023-08-09T09:08:17.245Z [2023-08-09 17:08:17.247] [info] sync network status [] [2023-08-09 17:08:20.247] [info] executing command at worker [2023-08-09 17:08:20.247] [info] sync network status 2023-08-09T09:08:20.246Z [2023-08-09 17:08:20.248] [info] sync network status [] [2023-08-09 17:08:20.487] [info] getting device posture

ferrumgate commented 1 year ago

please disable certificate verify from options, restart client, and try again.

wokula commented 1 year ago

According to your method, it is correct

thanks

wokula commented 1 year ago

After the client connects, it keeps prompting: time is invalid client logs:

[2023-08-09 20:41:00.301] [info] config is {"host":"https://sslvpn.XXXXXX.com/","id":"2o9Gxw45lUSG0khQ","sslVerify":false} [2023-08-09 20:41:00.665] [error] Command failed: manage-bde -status 2> nul

[2023-08-09 20:41:00.950] [info] device posture is [2023-08-09 20:41:01.001] [info] getting networks [2023-08-09 20:41:01.034] [info] network: {"items":[{"id":"hXdnU1Xsoq93v59v","name":"default","action":"deny","needs2FA":false,"needsIp":false,"needsDevicePosture":false,"needsTime":true,"sshHost":"10.0.11.242:9999"}]} [2023-08-09 20:41:03.088] [info] executing command at worker [2023-08-09 20:41:03.103] [info] sync network status 2023-08-09T12:41:03.086Z [2023-08-09 20:41:03.118] [info] sync network status [{"id":"hXdnU1Xsoq93v59v","name":"default","action":"deny","needs2FA":false,"needsIp":false,"needsDevicePosture":false,"needsTime":true,"sshHost":"10.0.11.242:9999"}] [2023-08-09 20:41:06.152] [info] executing command at worker [2023-08-09 20:41:06.168] [info] sync network status 2023-08-09T12:41:06.128Z [2023-08-09 20:41:06.181] [info] sync network status [{"id":"hXdnU1Xsoq93v59v","name":"default","action":"deny","needs2FA":false,"needsIp":false,"needsDevicePosture":false,"needsTime":true,"sshHost":"10.0.11.242:9999"}] [2023-08-09 20:41:10.549] [info] executing command at worker [2023-08-09 20:41:10.565] [info] sync network status 2023-08-09T12:41:10.549Z [2023-08-09 20:41:10.578] [info] sync network status [{"id":"hXdnU1Xsoq93v59v","name":"default","action":"deny","needs2FA":false,"needsIp":false,"needsDevicePosture":false,"needsTime":true,"sshHost":"10.0.11.242:9999"}] [2023-08-09 20:41:13.550] [info] executing command at worker [2023-08-09 20:41:13.563] [info] sync network status 2023-08-09T12:41:13.549Z [2023-08-09 20:41:13.575] [info] sync network status [{"id":"hXdnU1Xsoq93v59v","name":"default","action":"deny","needs2FA":false,"needsIp":false,"needsDevicePosture":false,"needsTime":true,"sshHost":"10.0.11.242:9999"}]

ferrumgate commented 1 year ago

needsTime field is true, that means you defined time restriction under Policy/Authentication ----- Time settings.

wokula commented 1 year ago

I have adjusted the previous time issue

Now there are new problems

Explain

My previous "ferrumgate" testing environment was to directly publish business on the internet. After passing the test.

I am currently publishing the "ferrumgate" business through reverse proxy software.

client logs:

[2023-08-09 20:55:30.481] [info] config is {"host":"https://sslvpn.xxxx.com","id":"ZXBQMxdW3H3eX0Fn","sslVerify":false} [2023-08-09 20:55:30.771] [error] Command failed: manage-bde -status 2> nul [2023-08-09 20:55:30.879] [error] Command failed: wmic /namespace:\ oot\SecurityCenter2 path AntivirusProduct get * /value ����: ���� = ��Ч�����ռ� [2023-08-09 20:55:31.020] [info] device posture is {"clientId":"ZXBQMxdW3H3eX0Fn","clientVersion":"1.7.0","clientSha256":"","hostname":"WIN-A7S23OHFR1L","macs":["00:0c:29:b6:c8:d9"],"os":{"name":"Microsoft Windows Server 2019 Standard","version":"10.0.17763"},"platform":"win32","registries":[],"files":[],"processes":[],"processSearch":[],"memory":{"total":2146443264,"free":424677376},"serial":{"value":"VMware-56 4d 78 25 b2 f6 9c ae-cb d3 3f 2c cb b6 c8 d9"},"encryptedDiscs":[{"isEncrypted":false}],"antiviruses":[{"isEnabled":false}],"firewalls":[{"isEnabled":false}]} [2023-08-09 20:55:31.080] [info] getting networks [2023-08-09 20:55:31.127] [info]
2023-08-09 20:55:31.127] [info] network: {"items":[{"id":"hXdnU1Xsoq93v59v","name":"default","action":"allow","sshHost":"10.0.11.242:9999"}]} [2023-08-09 20:55:31.151] [error] no tunnel created for default starting new one [2023-08-09 20:55:31.167] [info] starting new tunnel "C:\Program Files\FerrumGate\app-1.7.0 esources\app\service\win32\ssh_ferrum.exe" -N -F "C:\Program Files\FerrumGate\app-1.7.0 esources\app\service\win32\ssh_config" -w any -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" ferrum@10.0.11.242 -p9999 [2023-08-09 20:55:31.182] [info] executing process command [2023-08-09 20:55:31.214] [info] ferrum_pid:4112 [2023-08-09 20:55:31.231] [info] 2023-08-09 12:55:31.0222 [+] wintun library loaded [2023-08-09 20:55:31.455] [info] 2023-08-09 12:55:31.0458 [+] wintun v0.14 loaded [2023-08-09 20:55:31.484] [info] interface_name:ferrum8zqr21 [2023-08-09 20:55:37.969] [info] executing command at worker [2023-08-09 20:55:37.987] [info] sync network status 2023-08-09T12:55:37.9

ferrumgate commented 1 year ago

is port 9999 is accessible?

please type below command as Administrator on console (cmd.exe or powershell)

"C:\Program Files\FerrumGate\app-1.7.0 esources\app\service\win32\ssh_ferrum.exe" -N -F "C:\Program Files\FerrumGate\app-1.7.0 esources\app\service\win32\ssh_config" -w any -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" ferrum@10.0.11.242 -p9999

wokula commented 1 year ago

On the internal network of the "ferrumgate" server, telnet 10.0.11.242 9999 can be used, and the port is open。

wokula commented 1 year ago

The 'ferrumgate' client is disconnected from the network

client cmd :

C:\Users\Administrator>"C:\Program Files\FerrumGate\app-1.7.0\resources\app\service\win32\ssh_ferrum.exe" -N -F "C:\Program Files\FerrumGate\app-1.7.0\resources\app\service\win32\ssh_config" -w any -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" ferrum@10.0.11.242 -p9999 ferrum_pid:3432 2023-08-09 13:26:05.0317 [+] wintun library loaded 2023-08-09 13:26:05.0538 [+] wintun v0.14 loaded interface_name:ferrumcjkVM6 ssh: connect to host 10.0.11.242 port 9999: Connection timed out ferrum_exit:

C:\Users\Administrator>

wokula commented 1 year ago

My previous "ferrumgate" testing environment was to directly publish business on the internet. After passing the test.

I am currently publishing the "ferrumgate" business through reverse proxy software.

ferrumgate commented 1 year ago

"default" network is working on port tcp 9999, you need to give public access to tcp port 9999 on machine, probably with reverse proxy you are redirecting 80 and 443, please also forward 9999 as tcp

wokula commented 1 year ago

If it's just 'ferrumgate' mapping ports 80 and 443 through the NAT port of the access firewall. Do you still need to add a 9999 port?

ferrumgate commented 1 year ago

yes, you have a network with a name "default", and you have a gateway( tunnel server), and gateway is working on 9999, you can also create many of networks by this way, which aims to zero trust micro segmentation as you want

wokula commented 1 year ago

If it's just 'ferrumgate' mapping ports 80 and 443 through the NAT port of the access firewall. Do you still need to add a 9999 port?

wokula commented 1 year ago

I have been reading the document for a long time this morning. But I didn't see this explanation. It's possible that I didn't look carefully.

I personally think the document may need to be more detailed. For technical personnel in non English speaking regions.

I need to sleep now.

ferrumgate commented 1 year ago

Sorry that, probably you skipped this,

here is an explanation, how it works, https://ferrumgate.com/docs/architecture/internal-design/

wokula commented 1 year ago

Can you give me an email address so that I can communicate with you if I have any questions? Github is too slow to handle the problem.

ferrumgate commented 1 year ago

service@ferrumgate.com or you can ask over https://community.ferrumgate.com

ferrumgate commented 1 year ago

and discord is also fast

wokula commented 1 year ago

This' issues' can be closed now. The problem has been resolved。

Networks 9999 port, using a public network address.

I am using a domain name