Jump to content

So how does that work?


Stevie

Recommended Posts

We have moved a piece of 3rd party software to a cloud based solution. The department that uses it was using it installed locally for awhile but it is really old software, still using FoxPro. Anyway, they said they now have a cloud solution (the same old software just run on a VM managed by an external host).

They use GraphOn's Go-Global and UKFast (I won't mention reviews :) or what their support is like :) )

Anyway. So we have an address for the package. When you visit it, if Go-Global isn't installed then it requests to. Once that's installed the remote application now loads.

We had one user where it refused to connect and would come back with "failed to connect to "THE ADDRESS" on port #443" from Go-Global.

They suggested this was a firewall issue but it can't have been because when I logged on it connected fine. "I'm an domain admin" I thought, but it can't be that as it was my normal account. "I have more rights through the proxy than the average user" I thought, so I got another user with the same rights as (lets call them "user 1") to logon to "user 1's" PC. User 2 logs on and it works fine for them so it proves it can't be the firewall or the proxy otherwise it shouldn't work for "user 2".

I then logon to another PC (remember, it worked for me on user 1's PC) but it refused to work on the other PC. I was getting the same "failed to connect to "THE ADDRESS" on port #443". Moved back to User 1's PC and it worked fine for me.

Now comes the weird bit, if I run Fiddler on User 1s PC while User 1 is logged in, it connects fine. Turn Fiddler off and we get the "failed to connect to "THE ADDRESS" on port #443" message again.

Any ideas what Fiddler would be doing to make the connection work? I thought Fiddler just just chained to a proxy and nothing else, so why would it make a connection just fine with Fiddler running but not when Fiddler isn't running?

Link to comment
Share on other sites

Call me an idiot, but might it be that you're only allowed a certain number of users on the target machine, and the session is still considered active?

Link to comment
Share on other sites

Call me an idiot, but might it be that you're only allowed a certain number of users on the target machine, and the session is still considered active?

It's not a stupid comment but nope, that's not the issue. There are only 6 users of the software. The security on the VM is shockingly bad but that's another story.

What we don't understand is they keep claiming it's a firewall issue our end, but it can't be as it works for me and another user on the same PC. Move PCs and for us it doesn't work. However, 3rd line made a change on the firewall for that address and the issue went away. Suggesting it was a firewall issue. But how can it be, when it worked fine for me and the other user; neither of us have special firewall permissions. And if it was the firewall how comes it didn't work for User 1 but then when Fiddler was run it then did connect and work.

Very odd.

Link to comment
Share on other sites

Ask what, specifically, they changed on the firewall. Sounds weird.

From what I can remember, it was a week or two ago, simply just allowed the IP address for UKFast's host through the wall, nothing more.

EDIT-I'll try to remember to ask on Monday to double check.

Edited by Stevie
Link to comment
Share on other sites

Currently I still think it's GoGlobal's end, despite them denying it because I'm home tonight and it briefly did it to me and I KNOW my firewall has no block on.

The setup seems a bit of a mess as is. The software is really old so needs stupid access rights to sensitive areas. Once you've connect and the app is running it's a easy to break out of the app and now be on the VM. Worst still, you can freely traverse the directories like C:\windows\system32, run cmd unchallenged and even run RDP unchallenged. Gets even worse; the machine has Internet access for some reason. So you can freely download apps and run them, such as the IP scanner I downloaded and ran to show them all the IPs viewable on that subnet. Pointed out all these flaws to them and all they did was make all the folders on C hidden. Means nothing when you can freely run explorer and then tell it to show hidden folders.

Before anyone asks, I do have permission. When we tested part of the app before it crash and loaded IE and we broke out that way. Since pointing that bug out they've asked me to test some more; I don't even work for them, I should be charging a fee :)

Link to comment
Share on other sites

  • 2 weeks later...

What are the OS's connecting in question (All the same, some XP, some Win 7, OSX, etc?), and what is the last octet of the IP address you connect to with the client app?

I browsed the posts briefly, so forgive me if I missed anything, but I recall an issue I had with my own domain at one time, my hosted IP's last octet ending in 255, and anyone using XP, could not connect to my site due to older networking protocols(no subnet 0/classless capabilities, only classfull addressing capabilities), XP thought it was a broadcast address and wouldn't open the site, but linux, Win 7, OSX, etc, could connect fine. The Go-Global client app may not show that this is happening, so a port scan or raw telnet to port 443 from the machine's having this issue, might show if they can reach the IP on port 443.

Another thing to check, is if(in windows), under services.msc, if the "IP Helper" service is disabled. This usually only effects IPv6, but wonder if its causing any HTTPS issues with their app. I keep mine disabled, since I also disable IPv6 in various places, and never had any issues connecting to https enabled anything, but just curious if the Go-Global client app requires something that uses it or another specific service that is disabled on the machines in question that can't connect vs the ones that can. Compare enabled services between all nodes trying to connect just to rule any out.

Last thought, uninstall, and reinstall the Go-Global app with administrator access enabled, ie: right click, "run as administrator" for their setup executable.

Link to comment
Share on other sites

  • 2 weeks later...

Not sure of the address would need to check at work. Most of the security flaws their end are fixed but as I've mentioned to them my knowledge is VERY basic. If I could do what I did, someone else with more knowledge will wreck their setup, it's still not perfect.

All client machines are Windows 7. What I don't understand is why, when that message happens to that user, it then works fine when Fiddler is running.

It all works now so I can't recreate the problem. Appeared to stop working when the firewall rule was put in, despite it working when there was no rule for me and the other user.

Link to comment
Share on other sites

Something you mentioned above just clicked, which MAY be why it worked with fiddler, and thats your HTTP clients connecting could be leaving out info or the server not processing it correctly with something as stupid as a missing content type or a space in the request. Fiddler may be more strict or less strict, depending on what the issue is. Check this video, key part around 16:30:

http://www.youtube.com/watch?feature=player_detailpage&v=VV7b7fs4VI8#t=1000

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...