logamanig
commented
1 year ago Hi, any plan to support boundary access behind corporate proxy?
thank you!
Open skrgoesgit opened 2 years ago
logamanig
commented
1 year ago Hi, any plan to support boundary access behind corporate proxy?
thank you!
Is your feature request related to a problem? Please describe.
I would like to introduce Boundary in our company, to connect to important services in AWS over public internet from our workstations (mostly Windows) running in the internal corporate network.
It is a very large company (> 200.000 employees).
Unfortunately, the outgoing communication of the workstations is heavily regulated.
Each workstation can only access the Internet via a defined group of proxy servers only. The proxy servers are automatically distributed to all workstations and permanently stored as a system proxy in Windows and all browsers on the system (via proxy.pac configuration file). A central department is taking care of that.
The Boundary client needs to pass these corporate proxy servers to find its way to the internet. There is no way around.
The user has no possibility to change the proxy server configuration in Windows. In addition, the permanently stored proxy servers require authentication via NTLM. Because all Windows workstations are members of a domain, the user needs to log in to the domain by using its own credentials. Browsers used on the workstations can automatically and transparently forward the user credentials (Kerberos tokens) to the Corporate Proxy servers without entering username and password again. In other words, the successful logon to the domain will automatically authenticate the user for the configured corporate proxy servers.
I think this scenario described so far is very similiar in other large enterprises as well.
It would be great if the Boundary client can be integrated in such scenario.
Describe the solution you'd like
I would be the happiest person in the world, if the Boundary client (at least when running on Windows) would be able to...
1) Detect on its own, if there is a proxy server configured in the Windows system settings or rolled out to the system via proxy.pac within a GPO and use this Proxy transparently to connect the server side of Boundary. 2) Use and forward the already existing Windows credentials (Kerberos Token) set by a sucessfull domain logon, to do the authentication for the corporate proxies via NTLM, as modern browsers are able to do.
Describe alternatives you've considered
At the moment we are using a tool called "CNTLM proxy", which is executed at each windows workstation and contains a manually maintained list of all existing corporate proxies. This CNTLM proxy is also handling the NTLM authentication towards the corporate proxies.
For SSH connections, we use Putty and configure within Putty the local running CNTLM proxy as proxy server, because Putty on its own is not able to do NTLM authentication. When Putty has established a SSH connection through CNTLM proxy, we are using any kind of SSH tunneling, to provide access to our AWS services.
Of course this solution has several drawbacks.
1) Over time the list of manually configured proxies become stale, as corporate proxy server come and go. The end user will not be informed when existing proxy servers are gone and new ones are built up, because the central department will distribute the proxy defintions to all windows clients within the proxy.pac configuration file only, leaving the burden of extracting the latest definitions from the proxy.pac file and write it to the configuration file of CNTLM proxy for the user of the Windows workstation.
2) The Windows domain passwords needs to be changed every 3 month by security policy. Each time the password has changed, the user has to create manually a new NTLM password hash based on its new password and put this to the configuration file of CNTLM proxy.
We want to get rid of the CNTLM proxy at all and using only Boundary for accessing any of our services deployed on AWS (SSH, GIT, RDP, etc.)
Explain any additional use-cases If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.
Additional context Add any other context or screenshots about the feature request here.