When using Terminal Services (maybe with or maybe without Citrix add-ons), can the physical location of the user be identified?
The client workstation h/w is a mixture - sometimes a Windows pc, other times a thin client unit (eg Wyse, etc).
Our app needs to vary the business functionality based, essentially, on the location of the user. For instance, compliance with different state laws, or cash handling (a cash drawer can be used by any workstation at a branch or store, but can't be accessed from other branches or stores).
Also can't depend on a user's logon to identify their location - while most users will only be working at one location, some users do travel from one location to another. Having different logons for each location is not an option, for security and audit reasons.
Other than asking the user where they are (a problematic solution, for sure), are there any APIs, systemic support or techniques for addressing this type of need?
Thanks!
On the Remote Desktop server, you can identify the approximate physical location of the user based on their IP address. You can obtain the remote IP address associated with a session using the Win32 API function WinStationQueryInformationW with the information class WinStationRemoteAddress. If you are using a .NET language, you can use the Cassia library -- the remote IP endpoint is exposed as ITerminalServicesSession.RemoteEndPoint. Do not confuse the remote IP address with the client-reported IP address available from the RDS API -- the client-reported IP will not return the client's public IP if the client is, for example, behind a NAT router -- it will return a private IP address instead.
Once you have the client's IP address, you can use an API like GeoIP to look up the physical location of the client.
Related
I am new with OPC UA world and I need to getting start with this. I have a company in witch there is a new machinery that is an opc server. This machinery is actually linked in internet with dhcp. In particular, I need to understand:
For remote control on the same network I only need to take the ip address (eventually static) and I can monitor and write values of the server, is this right?
OPC UA server provide different endpoints, typically in the form of opc.tcp://myOPCUAServer:12345/path those endpoints can be discovered using the local IP address or DNS name. Your OPC UA stack typically provide functionality to list all the endpoints, like DiscoveryClient.GetEndpoints() and than select one for you CoreClientUtils.SelectEndpoint().
Often endpoint support different connection settings like Security Policy (e.g. Basic256Sha256), Message Security Mode (e.g. SignAndEncrypt) and User Authentication (Anonymous, Username/Password, Certificate). Your client connection would need to support the same, in order to connect.
I want to do a messaging application on the browser using WebRTC, but I want to get rid of every third party like STUN and TURN servers (I also want to get rid of signaling servers but first things first). I want the users to keep their contacts in the browser localStorage in a key-value way: name of the person => IP address.
I don't really care how the users find their own public IP address (they can do an ipconfig as there is no web API to retrieve it) nor how they distribute it (they can use use a centralized service like Messenger to give their public IP address to their friends, or they can use a QR code on their business card).
But the main issue I have is that I want these public IP addresses to be static, because I don't want to notify all my friends to update their contact file every time my gateway changes my public IP address.
In IPv4, there are too few available addresses (only 4 billions), so the public static addresses are all reserved to website and residential gateways. Whenever I want to access the Internet, my gateway opens a specific port for my computer. For example, if my gateway has the public address 1.2.3.4, the "public address" of my computer would be temporarily 1.2.3.4:3000. This process is called NAT. To find one's "public address", one must send a request to a STUN server which would respond with what IPv4 address and what port it sees. But the gateway closes the connection of the port at some point, so that's not a public static address like I want.
But in IPv6 it's different, the number of possible addresses is ridiculously high (2^128), so we could theorically give one static public address to each computer in the world. NAT would basically be useless (I'm not talking about firewalls here). But again, there is a problem, in IPv6 you have one address that is static but not public, and you have one or more addresses that are public but not static. So nothing has really changed from IPv4, and it still doesn't solve my problem.
I have 2 questions:
How to have a public and static address for regular computers? I don't want my users to meddle with their router/ISP or install anything on their computer.
Why don't we all already have static and public IPv6 addresses? Is there a design choice behind this?
Thank you for your help.
Your question is not really a programming question, so I'm assuming you need to know this because you are developing software that uses IPv6. Looking at it from a application point of view:
You don't need TURN to discover your own public address. Without NAT your address is not changed by the network and your local address is your public address. You just need to let your software ask the OS what the currently configured addresses are.
With IPv6 it's usually not the gateway giving out addresses to connected devices. The gateway only communicates the network prefix (a /64) to the network, and all devices choose their own addresses (usually multiple addresses per device).
DHCPv6 does exist, but it is usually not used to configure IPv6 addresses on devices. It may be used in stateless mode to configure domain names, DNS resolvers etc, but that is not related to assigning addresses.
So the device chooses its own addresses within the prefix communicated by the gateway. How does it choose?
Originally devices used their interface MAC address for the suffix (using the modified EUI-64 algorithm). The problem with this was that if you had a lap for example, online services that you connect to could track your device. Because no matter what network you connect to, the last 64 bits of your address would contain your unique MAC address. That way it was possible to track your device from work to home to your favourite coffee place etc.
These days the OS uses privacy extensions to make your IPv6 address untraceable. Often there is a stable address that is linked to the network prefix, so that every time you connect to the same network you get the same address. That address is useful for peer-to-peer communication.
But they went further than that. There is often also a set of privacy addresses that (semi)randomly change over time. Your device might generate a new address every day, or maybe even every hour. That makes it even harden for online services to determine whether there is a single device that has changed it's privacy address, or whether there are multiple devices. Because this address changes over time it's good for short-lived outbound connections, but not so useful to accept inbound connections on. For that use the stable address I mentioned in the previous paragraph.
Probably the most difficult bit is how to ask the OS about the available addresses. Looking at my own macOS box I see:
en2: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether c8:e0:eb:5c:af:61
inet6 fe80::1074:8568:e447:d9e3%en2 prefixlen 64 secured scopeid 0x12
inet6 2a02:xxxx:xxxx:xxxx:3e:873f:837:1417 prefixlen 64 autoconf secured
inet6 2a02:xxxx:xxxx:xxxx:b19c:71c5:1de8:8fde prefixlen 64 autoconf temporary
You can see both the long-term secured address and the short-term temporary address.
Without knowing which OS you are developing for and in which programming language I can't help you further. Please adjust your question to include that information.
I have developed an IOT module which can connect to the Wi-Fi and send data to the internet, the module can send data (string) to specific IP address on the specific port.
The internet server should store that information to the data base and display that information to the user via HTTP (web page).
When I set the port to the 9081 (any random number) and my local computer IP address as IP address that module should send data to, I can see data on my local computer terminal.
My question is that how can I send that data to the internet?
What I have in mind is that I can purchase domain name, host and develop a web site (HTTP) which by default listen to port 80. The service provider only give me a basic services such as HTTP, HTTPS and FTP which make it possible to upload website and I don’t have access to other protocols and ports.
Should I purchase virtual private server or I should use any specific cloud services or the module can send data to the server on port 80 without getting conflict with web pages and web contents?
Please give me some suggestion.
I did something similar with an IoT module. There are two options that I also considered. Before we describe, there is no need to buy a domain name. You can comfortably use the IP address to connect to. If you have some spare cash go for it.
Send everything to the web server on your local computer. To have access to the local computer you must enable port 80 to be accessible over the internet. You do this on a router. This is called port forwarding. You setup a rule such that all the requests made to your IP address on port 80 should be redirected to your local computer on whatever port the web server is listening to. This is the cheapest method available. Also, there is an important limitation: you're local computer needs to be switched on all the time if you want to access the data.
Buy a droplet (virtual private server). The workflow is the same as 1, but you don't need to port forwarding anything. These are usually setup and ready to use. However, this is usually expensive. Most of these providers offer pay-as-you-go services (e.g., Digital Ocean is the one that I used). There are other providers which offer free but limited versions. These are usually developer trial versions. If you go over a number of transactions, or space, you will have to pay (have a look at Parse).
I created an AMP web application that was originally going to be served from a traditional 3rd party host.
As we finished up, the client decided to host it internally, on a server in their office network. The application is only meant to be available to staff members, but those staff members will often be off-site. I had no involvement in setting up their network, which uses at least one server running windows server 2003. The client machines I saw were XP.
I set up Apache, MySQL and PHP on the server 2003 machine, and installed the application. The application is built on the CodeIgniter framework, so I set the base_url to the internal IP (192.168...), and we tested from within the network. Everything worked fine.
Next, we asked their network guy to open port 80 for apache. I set the base_url to the external IP, and tested from my home (using the external IP as the web address), and it works fine.
However, when attempting to access the application using the external IP from within the network, they're unable to connect. I can reset the base_url to the network IP, and they can access it using the network IP, but then it the application fails when connecting externally (since the base_url, used throughout the application, is pointing to the internal IP).
It suppose I could let CodeIgniter determine the base_url (by leaving the variable as an empty string), but would rather figure out why the external IP fails in-network, and try to correct that.
The server we're using is not dedicated to the AMP stack (in fact, it has at least one other application broadcasting to the internet that must have been using IIS, as well as an FTP server used for office scanners), so I suppose there might be some conflicts there.
I know very little about windows networking. A quick search suggested this might be because of NAT, but didn't offer a work-around.
Their network guy has no suggestions, and said that everything should be fine.
Is it possible to have users inside the network access the Apache server using the external IP, and if so, what needs to happen to enable that?
TYIA
Your client's NAT router is configured to forward packets arriving on its external interface for its external IP with port 80 to the internal machine, port 80, after re-writing the source and destination IP addresses in the packets.
From within the network, attempts to connect to the external IP address will be routed to the default route on the machines, the router's internal interface. This interface is not configured to forward packets back into the network.
Configure the application to listen on all IP addresses. Make sure that the server knows that the clients know it under several hostnames -- the internal IP address and the external IP address.
You might be able to re-write the NAT firewall rules on the router to perform the port forwarding for the internal interface as well, but off-the-shell equipment common in homes and small businesses do not make this task easy. More expensive gear (or home-built *BSD/Linux router machines) can do this without much effort, but it would needlessly add traffic to the router.
This isn't Apache related, nor is it CI related. It's often impossible to reach the external IP address from within the network.
Frankly, I don't know exactly why that is. I do know that it's related to how NAT (Network Address Translation) works or at least how it's implemented.
For a detailed overview of why this is, you should ask this question on serverfault. If you're simply a programmer who has to deal with it, accept that NAT usually works only from inside to outside and outside to inside, but not inside to inside.
You already mentioned one of the solutions in your question - don't use base_url. You could also simply run the server on an external IP address (not your company IP, but let's say a datacenter or something).
In order to notify all computers within the same LAN about my existence, I want to broadcast my hostname and IP address.
How do I go about doing so without sending them as a string?
Avik, this is what DNS is meant to be used for. While "regular" DNS is meant to hold names and IP addresses for each machine (statically configured), there is a dynamic DNS protocol which allows machines to update their DNS entries in real time.
This sort of capability is used in some of the office environments for my clients where printers on a machine are shared but the machines they're attached to use DHCP (meaning their IP address can change).
See here and here for details and the Windows implementation with DHCP.
Lets call your machine that wants to advertise itself the SERVER and all the machines that can use it, the CLIENTS.
Of course, dynamic DNS only notifies DNS itself of the name/IP mapping and is useful if the CLIENTS are already aware of your SERVER so they can get the IP address from DNS. If you have no way for CLIENTS to discover that your SERVER has just been added, you'll still need to broadcast a packet occasionally indicating that your SERVER exists (this will only need the SERVER name since CLIENTS will use DNS to get the IP address).
This broadcast packet should be picked up by all CLIENTS and kept in a local table. If the communications from a CLIENT to your SERVER fails, the local table entry for your SERVER should be removed (it'll be re-added when your SERVER broadcasts again).
Basically re-inventing NetBIOS or ZeroConf, as popular with small embedded devices for discovery by a Windows or OS X based installer or setup utility.
You can try to use UPnP Discovery.