Target Audience: Massey University staff
A firewall is a security measure designed to block unauthorised access to a computer's network. All messages entering or leaving a network pass through the firewall. The firewall examines each message to ensure nothing private goes out and nothing malicious comes in.
- Submit a Firewall Bypass/Proxy/Relay Application
- Once submitted, the approval email will need to be forwarded to the Service Desk by the authoriser.
After approval, the appropriate configuration changes will be made to the relay, proxy or firewall. This will ensure that:
- All appropriate information has been captured so that the relay or proxy can be configured correctly, or that the bypass requested cannot be implemented using a relay or proxy
- That the user is aware of and has accepted, the risks, liabilities and conditions that are associated with exposure to the Internet.
Service relays and proxies
Internal hosts are usually exposed to allow web pages to be served to the Internet. Direct exposure is not necessary and not desirable.
If the Web Server can be identified by a network alias, and that alias is used soley for accessing web pages (for example: it is not intended to provide access to any other services),
ITS can provide access using a URL or HTTP Reverse Proxy. If the alias is used to provide access to other services, HTTP access must be provided through a firewall bypass filter.
ITS strongly recommends that appropriate aliases be used for each service. The means by which those services are delivered can be independent; for example: www-chemistry and ftp-chemistry rather than simply 'chemistry'.
The URL / HTTP reverse proxy
All incoming requests for pages can be served by a single server. A secondary backup server can be brought into service in the event of a failure. This server can then remap the request to the appropriate internal server and/or directory.
The mapping functions available will allow an internal server to support multiple web sites in different directories yet present them to the Internet as though each was in fact hosted on its own server.
Examples of possible mappings:A URL to an Internal Server
A URL to an Internal Server Directory or Folder http://chemistry.massey.ac.nz/
A URL which includes a directory to an Internal Server http://chemistry.massey.ac.nz/courses/
A URL which includes a directory to an Internal Server Directory https://www.massey.ac.nz/Chemistry/
Ensure that all URLs embedded in the various documents are relative rather than absolute. If they must be absolute, refer to the 'Virtual Server' not to the real one. The Proxy will rewrite inappropriate URLs where it can.
The content of any internal web server that is accessible from the internet must conform to the Requirements for websites
Statistics generated by the HTTP server may not be useful.
File Transfer Servers
All incoming FTP requests must be directed to the FTP Proxy ( gatekeeper.massey.ac.nz ). If an internal server has been authorised, the FTP Proxy can establish a connection on behalf of the external client.
The appropriate internal server is identified by using a modified user id. i.e. firstname.lastname@example.org
Example 1: Command Line Client
Connected to its-relay1.massey.ac.nz.
If a command based FTP client is not being used, it must still connect to the FTP Proxy first. Ensure that "username@internal-server" is used in the appropriate dialogue box where a User is required and specify the correct password for 'username'.
Once connected, all of the normal FTP commands should work exactly the same as if you had made the connection directly to the server.
All incoming TELNET requests are must be directed at the TELNET Proxy ( gatekeeper.massey.ac.nz ).
If an internal server has been authorised, the TELNET Proxy can establish a connection on behalf of the external client.
Example 1: Telnet Session telnet gatekeeper.massey.ac.nz
Connected to its-relay2.massey.ac.nz.
Escape character is '^]'.
| Massey University TELNET Proxy |
| All connections to TELNET servers at Massey University are intercepted |
| by our TELNET Proxy. |
| To connect to an internal server, a connection must be opened from the |
| proxy. |
| i.e. c server-name |
| If a connection can not be established, you will need to contact the |
| administrator of that server as all internal servers must be authorised |
MU Telnet Proxy>c a-server
Trying 220.127.116.11 port 23...
Connected to a-server.
Digital UNIX (a-server) (ttyqf)
The default policy allows connections from within the Massey Network to anywhere on the internet; however, some protocols in actual fact work backwards. An example is X11.
The X11 server runs on the local equipment and the X11 client is the application on the remote server. When a remote application is started, it attempts to initiate a connection back through the firewall. Without the use of a proxy these connects would be blocked.
Using the X11 proxy from within the firewall
To run an X11 application on a remote server, you must initiate the application by first connecting through the firewall. You then tell the firewall you wish it to establish an X11 proxy for you.
Example 1: Initiating an X11 Application
Using the X11 from outside the firewall
To connect to a Massey server, the server must first have been authorised. Assuming that this has been done, you must first connect to the relay itself. You then tell the telnet proxy which Massey server to connect to and it will do so on your behalf.
Example 2: External X11
Connected to its-relay2.massey.ac.nz
Escape character is '^]'.
Massey University Telnet Proxy Service
MU Telnet Proxy> its-unix1.massey.ac.nz
Trying 18.104.22.168 port 23...
Connected to its-unix1.massey.ac.nz.
Escape character is '^]'.
Digital UNIX (its-unix1) (ttypf)
setenv DISPLAY your.server:0.0
Page authorised by CIO
Last updated on Wednesday 20 November 2019
Contact the Service Desk
Phone 06-356-9099 ext. 82111 (preferred method)
7:45am - 5pm, Monday to Friday
(excluding Public and University holidays)
AskUs Self-Service to log a request online (staff)
Other ITS Information
IT Services Dashboard (staff)