Accessing CIFS Shares via Luminate Secure Access Cloud
search cancel

Accessing CIFS Shares via Luminate Secure Access Cloud

book

Article ID: 174901

calendar_today

Updated On:

Products

Symantec ZTNA

Issue/Introduction

Accessing CIFS Shares via Luminate Secure Access Cloud

Resolution

CIFS protocol (a part of SMB protocol) is delivered over standard TCP ports - 445 and 139 (it can also use UDP ports 137 and 138). If it is absolutely necessary to access native CIFS shares via Luminate Secure Access Cloud (TM), it can be done via SSH Tunnel to a destination port 445 of the eventual File Share server. The architecture is described in the below diagram:

To obtain access, for each File Shares server, the following operations need to be performed on each accessing client/workstation:

  • A dedicated Network Interface needs to be defined (CIFS clients can only use standard ports)
  • SSH Tunnel needs to be established, through an SSH Server in the datacenter to port 445 of the CIFS File Shares Server

Below steps explain how to perform the above on Mac OS X and on Windows Workstation. Please notice, that the procedure for Windows Workstation is extremely complex, and, while it can be automated with attached scripts, it is not recommended for use. Access via SFTP client is much more stable and has better performance.

 

Access to CIFS Shares from Mac OS X

Step I - Bring up an additional Localhost Interface

Unlike in other Operating Systems, Mac OS X assigns, by default, only the 127.0.0.1 IP address to the loopback interface. In order to add another IP address, the following command needs to be run:

sudo ifconfig lo0 alias 127.0.1.1

Where 127.0.1.1 is the IP address that will be used in the following steps to create a tunnel to a CIFS server.

 

Step II - Configure an SSH Tunnel

In this step we need to create a tunnel to the destination server's TCP port 445. Please refer to this article for details on TCP Port Tunneling via SSH.

sudo ssh user@[email protected] -L 127.0.1.1:445:Destination-IP:445

With the following parameters:

  • 127.0.1.1 is the IP address of the loopback interface used in the previous step
  • user@ssh-bastion is the user name required for connecting to SSH Bastion via Luminate
  • ssh-bastion.tenant.luminatesec.com is the address of the SSH Bastion accessible via Luminate
  • Destination-IP is the IP address of the actual File Shares server, accessible from the Bastion

Please note, that, as we are forwarding a privileged port (445), the command needs to be executed with sudo.

 

Step III - Connect a built-in CIFS Client on Mac OS X to the File Server

Launch a Finder Application, then in the menu pick "Go" --> "Connect to Server":

Type the IP address of the loopback interface we used in the previous step to create a tunnel and specify a share path (in this example, "Share1").

The Finder window with the share content will open:

 

Access to CIFS Shares from Windows Workstation

In order to perform the same operations on a Windows Workstation, unfortunately, the process is more complicated. The complication is due to the fact, that, unlike in Mac OS X, on Windows Workstation (or Server) a local lanman service serves as a CIFS Server and listens to TCP port 445 on all interfaces. 

Below steps are describing the process required to circumvent this problem. They are based on a process described at: https://www.nikhef.nl/~janjust/CifsOverSSH/Win10Loopback.html 

(Please note that this description targets Windows 10. The article linked above contains links to versions for Windows Vista, Windows 7 and Windows 8, as well as earlier versions).

 

Step I - Install a dedicated loopback interface Network Adapter

  • Start the Add Hardware Wizard by either going Start->Settings->Control Panel->Add Hardware or by starting a console window with elevated (Administrator) privileges. In the console window type
      hdwwiz.exe
    
    The Hardware Wizard will come up:
    wizardStart
  • Click Next to continue:
    manualSelect 
    Select Install the hardware that I manually select from a list and click Next.
  • Now you'll see:
    networkAdapters 
    Select the entry Network adapters and click Next.
  • In the next screen
    msLoopback 
    first select Microsoft from the list of Manufacturers and then select Microsoft KM-TEST Loopback Adapter from the list of Network Adapters. Finally, click Next once more.
  • Almost finished:
    readyToInstall 
    This is your last chance to abort, otherwise, click Next.
  • After a while you should see:
    finished 
    Click Finish to exit the Hardware Wizard.

 

Step II - Configure the Network Adapter

Network adapter that was just added must be configured either manually or via a script. 

These are the manual configuration steps:

Now that your newly installed loopback adapter is up and running we must configure it properly:

  • Go to the Network Connections Center:
    NetworkConnections
  • Choose the loopback adapter (usually it is named something like "Local Area Connection #3") and right-click on it:
    ChooseAdapter
  • Choose Properties, after which a new window will appear
    loopProperties 
    Make sure that
    • the entry Client for Microsoft Networks is NOT enabled, i.e. does not have a checkmark in front of it.
    • the entry File and Printer sharing for Microsoft Networks is NOT enabled, i.e. does not have a checkmark in front of it.
    • the entry Internet Protocol (TCP/IP) is enabled.
  • Select the entry Internet Protocol (TCP/IP), then click on Properties.
  • A new window will appear:
    loopPropertiesTCPIP 
    Select Use the following IP address and fill in the 'IP address' and 'Subnet mask' as above. 
    It is not necessary to fill in the 'Default gateway' or a 'DNS server'.
  • Click on Advanced to make the following window appear:
    loopPropertiesTCPIPAdv 
    Deselect Automatic metric and fill in the value of 9999 as the 'Interface metric' as shown above. If an access will be required to more than one File Shares Server, then additional IP addresses should be added in this dialog.

 

  • Click on the WINS tab:
    loopPropertiesWINS 
    and select Disable NetBIOS over TCP/IP.
  • Click on OK.
  • You are now back in the main 'TCP/IP Properties' screen. Click OK again.
  • You are now back in the main 'Loopback Properties' screen. Click Close.

Alternatively to performing the above configuration steps, following PowerShell snippet can be used:

# Get the latest create kmloop adapter and rename it
$adapter_idx = (Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "ServiceName='kmloop'" | Sort-Object Index | Select-Object -Last 1).InterfaceIndex
$adapter_name = (Get-NetAdapter -InterfaceIndex $adapter_idx).Name
Rename-NetAdapter -Name $adapter_name -NewName "Loopback-Cifs"


# Set IP and Network Address
$nic = (Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "ServiceName='kmloop'" | Sort-Object Index | Select-Object -Last 1)
$nic.EnableStatic("10.255.255.100", "255.255.255.0")


# Turn on TCPv4 Binding, Turn off Microsoft Network Protocols Bindings
Set-NetAdapterBinding -Name "Loopback-Cifs" -DisplayName "Internet Protocol Version 4 (TCP/IPv4)" -Enabled $True
Set-NetAdapterBinding -Name "Loopback-Cifs" -DisplayName "Internet Protocol Version 6 (TCP/IPv6)" -Enabled $False
Set-NetAdapterBinding -Name "Loopback-Cifs" -DisplayName "Client for Microsoft Networks" -Enabled $False
Set-NetAdapterBinding -Name "Loopback-Cifs" -DisplayName "File and Printer Sharing for Microsoft Networks" -Enabled $False

# Update interface metric to 9999
Get-NetAdapter -Name "Loopback-Cifs" | Set-NetIPInterface -InterfaceMetric 9999


# Disable TCP/IP --> WINS --> NetBios over TCP/IP
(Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "ServiceName='kmloop'" | Sort-Object Index | Select-Object -Last 1).settcpipnetbios(2)

# Define additional IP Addresses
New-NetIPAddress -InterfaceAlias "Loopback-Cifs" -IPAddress 10.255.255.10 -PrefixLength 24
New-NetIPAddress -InterfaceAlias "Loopback-Cifs" -IPAddress 10.255.255.11 -PrefixLength 24

The script defines two additional IP addresses - 10.255.255.10, 10.255.255.11 and also renames the adapter for a more convenient management.

 

Step III - Tweak the lanman service for a later start and define port-proxy for creating a tunnel

In order to be able to perform SSH Tunnel for port 445 on the IP Addresses defined above we need to delay the start of the lanman service and have the port-proxy service start listening to this port first. If we don't do this, despite the fact that we have disabled "Client for Microsoft Networks" on our new adapter. lanman will still try to listen to these IP addresses.

This configuration is done via the following PowerShell snippet:

# Delay the start of lanman, use "demand" instead of "delayed-auto" if this operation is denied

sc.exe config lanmanserver start= delayed-auto

 

Please note that the proxy should be added for each IP address that will serve as a connection to a File Shares server. Also, please note that the IP address is used twice in the command.

 

Step IV - Reboot and, optionally, validate that the system is ready

After performing the above configuration commands, the system can be rebooted. After the reboot, following commands can be executed to verify that the configuration operates correctly:

  • netsh interface portproxy show v4tov4 - should show us the port mappings defined in the previous step
  • netstat -an | find ":445" - should show us that something is listening to port 445 on each of the IP addresses defined above
  • sc.exe query lanmanserver - should show the status as RUNNING

 

Step V - Create the tunnel and connect to the shares

Any SSH Client capable of creating an SSH Tunnel can be used (including, but not limited to Putty, MobaXterm, SecureCRT and more). In the below example, we will use Win32-OpenSSH command line ssh client (calling it from a PowerShell):

Start-Process -Windowstyle Minimized -FilePath "C:\OpenSSH-Win64\ssh" -ArgumentList "-L 10.255.255.1:44445:10.0.4.17:445 -i C:\Path\To\Cert\luminate_ssh_key.pem -l username@bastionname bastionname.tenant.luminatesec.com"

  • Location of the OpenSSH client is assumed to be C:\OpenSSH-Win64
  • 10.255.255.1 is assumed to be the IP used
  • 10.0.4.17 is assumed to be an internal IP address of the File Shares server, accessible from the SSH Bastion
  • C:\Path\To\Cert is assumed to be the location of the luminate_ssh_key.pem file, downloaded from the Luminate User Portal
  • username is assumed to be the user account used at the SSH Bastion (could be any account capable for SSH Tunneling)
  • bastionname is the name of the SSH Bastion, as defined in the Luminate Administration Portal
  • bastionname.tenant.luminatesec.com is an external address associated with the SSH Bastion, as defined in the Luminate Administration Portal

Step VI - Access the shares

Accessing the shares can be done "natively" via Windows Explorer. Just navigate to \\IP-Address\Share_Name, where IP-Address is one of the IP Addresses defined above, and Share_Name is one of the shares. Navigating just to \\IP-Address to see all the exposed shares is also possible.

PowerShell snippets implementing the above steps (requiring adjustment/modification to paths and IP addresses) can be found attached to this article.

download.png

Accessing CIFS (SMB) Shares over the internet is not recommended. This protocol is optimized for Local Area Networks. The below guidelines are not recommended (and will not be supported) for production-grade massive usage. Instead, the recommendation is to use SFTP and SCP access to File Shares.

Attachments

start-multiple-tunnels.ps1 get_app
luminate-cifs-setup.ps1 get_app