alacrity in action

If you work in IT Internet access is taken for granted. I know no one who could to their .Net job without google, MSDN, StackOverflow and plethora of other resources on the web, including social networking sites. (Well, Jon Skeet perhaps.) You get the access and implicitly agree to use it wisely and efficiently, this is what responsible professionals do.

tunnel-stage1Assume however, that your company, theoretically, have decided to restrict access to the Internet and forward all traffic through a proxy server. That proxy will then filter some of the traffic and block things like webmail, social networking sites, media streaming services, IM, etc. It will usually be done for ‘security’ reasons.

tunnel-stage2So the company would have done what companies (that is, senior management) like doing most – solving management problems with technology.

If you were to find youself in such situation is there anything that could be done to allow you to keep working? Here is one idea: find a server on the internet, create ssh tunnel via the corporate proxy into that server and proxy your internet access from the external machine. This is roughly what the setup would look like:

tunnel-stage3

And this is what you would need:

1.) An ssh client (like putty) on your local machine that can connect through the proxy to a remote machine on the internet (that is assuming the HTTP proxy server accepts HTTPS connections with the CONNECT command, which most proxies do) and do port forwarding. Here are some sample settings:

putty-proxy putty-tunnel

2.) A remote machine that can listen for SSH connections on port 443 and that has a local proxy server. Apache running mod_proxy will do.  I hope I don’t have to emphasize the need to secure mod proxy.

What happens is putty connects through the corporate proxy to your remote proxy and forwards remote proxy’s local port to your local PC. You then need to point your browser of choice to use localhost:8080 as its proxy server.

If your corporate proxy were to be protected (as I hope most basic corporate proxies would be) you will need to provide username and password. If you live in Microsoft world chances are the proxy authentication mechanism of choice will be NTML. This would pose an additional problem since putty can’t handle this authentication mechanism. There would be a simple solution however, just overlay another proxy on top. A nifty little Fast NTML Authentication Proxy in C – cntlm would do the job.

tunnel-stage4

So you could theoretically do all the above and would probably breach at least half a dozen corporate policies. Being a responsible professional you would never do so. Instead you’d ask yourself a simple question – if you are not trusted to use the Internet in a responsible way, perhaps it’s time to look for another job.


Comments1

  1. Nice explanation and nice advice. 😉
    A small typo…it’s NTLM and not NTML.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.