ExpertAssist also comes with Port Forwarding Server. This allows you to forward one or more TCP ports on one computer to another so that separate networks can be bridged.
Before getting into the details of how you would configure your Port Forwarding Server (PFS) we will look at how it works. Picture the following scenario:
You have a Local Area Network (LAN), connected to the Internet with a firewall / proxy server. The computers on the LAN all have non-Internet IP addresses, and they connect to the outside world via the proxy server.
If you have ExpertAssist installed on any computer on the LAN — say, the fileserver — you would be able to access it from within the LAN without any problems. However, it is not accessible from the Internet.
If you set up ExpertAssist and PFS on the firewall, so that a certain port (say, 3000) on the firewall is forwarded to the fileserver’s IP address and ExpertAssist port (2000 by default), accessing port 3000 on the firewall will let you access ExpertAssist on the fileserver. Both from within the LAN and from the outside as well.
When you click on the Port Forwarding Config page under the Server Functions object in the tree you can set up the above scenario. In order to look at the interface for this feature we will look at some more possible scenarios.
Imagine, for example, the following situation:
The firewall’s Internet IP address is 22.214.171.124
The firewall’s LAN IP address is 192.168.0.2
The fileserver’s LAN IP address is 192.168.0.10. ExpertAssist is installed on both computers, and is listening on port 2000.
The IP addresses used in the foregoing are for demonstration purposes only.
What we need to do is simple: map port 3000 on the firewall computer to port 2000 on the fileserver. Having called up the Port Forwarding Config page from the tree you can now add a new rule by clicking the Create forwarding rule button.
The Protocol drop-down list in the In group should have TCP selected in it. Other protocols (SSL, CSSL) will be discussed later. The IP Address drop-down list in the In group can be set to an * (asterisk) meaning that the port will be forwarded from all IP addresses of the firewall. If you want to use a single IP address instead of all assigned ones, select it here. The Port edit box in the Incoming group can be anything not already in use on the computer – in our case it is 3000.
The Protocol drop-down list in the Out group should have TCP selected in it. The IP Address edit box in the Out group will be 192.168.0.10 (or the actual DNS address of the host), and the Port edit box will be 2000. The Defer and the Timeout values can be left to their defaults. These will be explained later.
The Description field lets you specify a remark associated with the port forwarding item. This will be displayed in the table on the Port Forwarding Config page.
If you fill out the dialog and click the Apply button, the item will be listed on the Port Forwarding Config page.
That’s really all there is to it. Your first port forwarding item has now been configured.
You can edit a port forwarding item by double clicking it, or by selecting on it and clicking on the Modify Rule button.
You can specify IP address restrictions for the item from the IP address filter profile drop-down list. This works exactly like the Quest ExpertAssist IP Filtering feature, only it restricts incoming connections to the corresponding port forwarding item only. For more information, please read the documentation on IP Filtering.
This setting lets you specify how long the PFS will hold a connection open with no data going through it in either direction. When the amount of time specified here is reached and the connection is idle, both ends of the connection will be closed gracefully.
This setting lets you specify a timeout value for a special condition. When one end of the connection has been closed, but the other is still open, PFS will wait this much time for the open end of the connection to be closed. It will then close the connection itself.
These fields let you specify SSL or CSSL as well as TCP. To translate SSL connections to TCP or TCP to SSL, and thus behave as an SSL proxy for applications that are not SSL-enabled, simply set one end to SSL and the other end to TCP.
There are situations when SSL encryption would be a very nice thing to have, but neither the client nor the server support it. In this case, you can use two installations of Quest ExpertAssist: one to translate the connection from TCP to SSL, the other to translate it back from SSL to TCP.
Let’s suppose that you are using a laptop with a dialup account, and your email software does not support SSL. Let’s also suppose that your corporate mail server does not support SSL either. If you still want to keep your email secure, you can install Quest ExpertAssist both on your laptop and on the email server, and set up a port forwarding item on both computers.
On your laptop, you would need to do the following:
- Create a port forwarding item with the incoming IP address as 127.0.0.1 (the loopback address), the incoming port as 3110, the incoming protocol is TCP. The outgoing IP address or host name would be set to that of your email server, the outgoing port would be set to 3110, and the outgoing protocol would be SSL.
- Change your email client’s preferences so that the POP3 server is 127.0.0.1 and the port is 3110.
On the mail server, you would need to only create one port forwarding item, with the incoming IP address set to your mail server’s Internet IP address, the incoming port would be 3110, and the incoming protocol would be SSL. The outgoing IP address would be the same (the mail server’s Internet IP address), the outgoing port would be 110 (the standard POP3 port), and the outgoing protocol would be set to TCP.
If you performed the above three steps, starting up your email client and checking for mail would actually go through two port forwarding servers; the first one being on your own computer, encrypting all data before it’s sent to the mail server. The mail server’s port forwarding server would receive the encrypted data, and decrypt it before sending it on to the actual mail server software. Data flowing in the other direction would be also seamlessly encrypted and decrypted.
However, if you have two Quest ExpertAssist Port Forwarding Servers talking to each other, you could also utilize the proprietary CSSL protocol instead of using plain SSL. CSSL, which stands for Compressed SSL, would also seamlessly compress and decompress your data as well as encrypt and decrypt it - to keep to the above example, making your mail arrive much faster over a dialup connection. (And also, to properly finish the laptop/email example, you would also have to create one additional port forwarding item on both computers for the SMTP protocol that is used to send email as opposed to receiving it. This runs on port 25 by default.)
Click the Export button to download a CSV file containing the list of custom port forwarding rules to your local computer.
If you have configured your Port Forwarding Server as in the examples above, you will be able to view the status of your Port Forwarding connections by clicking on Port Forwarding Status page under Server Functions object in the tree.
Click the Export button to download a CSV file containing detailed information about port forwarding operations for each of the port forwarding rules created on the Port Forwarding Config page.
This page allows the browsing of the Active Directory nodes using LDAP.
Under Scheduling & Alerts, you can make use of ExpertAssist’s scripting capabilities, as well as set up a service to send you email alerts when certain events occur on the remote machine.
This powerful feature of the ExpertAssist enables you to monitor the system based on the performance data collected.
You can also define conditions, and actions to be performed. A condition and an associated action are known as a rule.