Accessing Trillian Pro Remotely and Through an Encrypted Tunnel
By RSnake (May 04, 2004)
I am writing this because I constantly run into situations where people
want to do things like browse the web, or talk over the net but they don't want
their office to see what they are doing over the network. Also a lot of
security content filters block certain ports from being used. Some vendors
claim that they block "all chat services". Basically there is one of two ways
in which they do this.
The two methods are: by port or by protocol. By port means they look
for common chat ports (like port 5222 for AIM) and block them. By protocol
means they look for what a chat session headers look like and block them (this
is typically harder to get around, and what most vendors claim is really good
security). I'm going to show you a way to bypass both of these methods. To do
this you will build a secure (encrypted) tunnel to a remote machine through the
blocking or monitoring device and use your remote machine as a proxy
Most of the time changing your AIM and Yahoo ports to port 25 (SMTP -
send mail transfer protocol) will bypass any firewall rules that stop you from
chatting but once in a while I run into a situation where using an encrypted
tunnel is the only way to go. Using this document there will be no way for
your office to sniff your traffic on the wire. Although it should be noted
that your office always has access to your computer if you step on their
premesis or authenticate to their primary domain controller, so just be wary.
Also, it is typically against most companies' acceptable use policy to bypass
their security, so chances are they would frown on this. So consider this
document as educational only.
You will need two machines for this set-up to work. One machine on a
static connection (we'll call this the server) that you can connect to on port
22 (or some other port that you designate as the SSH [secure shell] port) and
the machine you will be working from (client). SSH is the encryption part of
this technique. This has nothing to do with the encryption built into Trillian
Pro, but works in a vaguely similar way. I will explain it all in terms of
Windows. But you could do this with Trillian Pro inside a VMware session or
something else if you are a devout Windows hater.
By "static connection" I mean somewhere that has an IP address that you
can connect to that doesn't change, but you can also use a service like http://www.dyndns.org/ to make a dynamic
connection appear static. If you cannot do port forwarding or cannot host a
machine on your broad-band connection, stop now, and find a friend who will let
you host a machine at their house. So without further interruption, here is
the definitive guide for using Trillian Pro remotely (works with AIM, IRC, ICQ,
Yahoo and MSN) as well as how to build an encrypted HTTP (hyper text transfer
protocol) tunnel all in one document.
Step 1: Install the correct software on the server:
On the server:
- Install Cygwin from http://www.cygwin.com. Cygwin is a UNIX emulator for Windows. Really we are only using it for the sshd and apache services, so if you know of another way to get those working that you like better, feel free to use those. Please note that I am assuming in this document that you are installing it in C:/cygwin/
- Make sure you install at the least these services:
- apache (web-server) - this will be your proxy server
- pico or vim (editor) - this is optional, but recommended
- cygrunsrv (to install services)
- openssh (your ssh server) - this is the server half of the encrypted tunnel.
- Install Trillian Pro (sorry, the freebee version won't work with the plugin) from http://www.trillian.cc
Step 2: Configure the server:
On the server:
Step 3: Download software for the client:
On the client:
- Install Internet Explorer if you don't have it already (yes, other browsers will work, but I won't be going into those).
- Download PuTTy (putty.exe) from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (PuTTy is the client half of the encrypted tunnel). You can also use Stunnel here instead of PuTTy and SSHD, but I don't like it as much, primarily because it is not one single, self contained binary and it has all sorts of weird interoperability issues with itself. IE: you will need to download the OpenSSL libraries seperately for the correct version if you use Stunnel. Also, the PuTTy binary is around 200k in size, where the Stunnel binary bundle is around 1.4 megs (so around 7 times the size). I will probably add a Stunnel version to this document later, since it involves less components, and therefore theoretically an easier install (take a look at this for ideas if you are impatient).
Step 4: Configure the client:
On the client:
- Now configure configure PuTTy. Load it up and type in the remote IP address (or host name if you have one) of the server in the "Host Name (or IP address)" field. Select port 22 (unless you changed it). Now go to the "Tunnels" tab on the left under Connection->SSH->Tunnels. Select the source port as port 80 and the Destination as the IP address of the server (not the client!) and the port you want to connect to (so something like 18.104.22.168:80). And click the "Local" option button and click "Add". Now go back to the "Session" tab on the left and name it something in the "Saved Sessions" tab. Something like "HTTP Forward" will do. Click "Save" and then click "Load". You should be prompted with a user name for your remote server. Type in your server username and password and you should be connected.
- Now go to Internet Explorer. Under Tools->Internet Options->Connections->Lan Settings you will find "Proxy Server" Select the option to use a proxy server and in the address filed type "localhost" and port "80".
Step 5: Using Trillian Pro Remotely:
On the client:
- In Internet Explorer go to http://localhost:8000 (note if you changed the port to be something other than 8000 use that port here). Log in with the I.M. Everywhere password you selected on the server. Wait for the pop-up, or if you use Google's toolbar, click the link and Trillian Pro should load up in your Internet Explorer Window. (You do not have to keep the browser location set at http://localhost:8000 after the window pops up.)
Step 6: You're Done!
- You can now surf the web or access Trillian Pro remotely and securely through content filters and firewalls.
- Some Last notes:
- Make sure you keep the SSH daemon and Apache daemon running on your server when you leave so that you will be able to connect.
- Make sure you keep open the Trillian Pro window on your client and the PuTTy window connected to the server, or this will break.
- If your home network (or wherever your server lives) has port 22 for your ssh server blocked, try other ports (below 65535). Often you will find one that your providers won't block. Look at the ports list for ideas. Often you can put it on port 80, since it is unlikely that your office will block port 80 ingress/egress, assuming your server network doesn't block port 80 ingress/egress. This can be tricky if you are dealing with two networks that have content filters on both sides, but almost always you can figure something out on a high port unless it is a highly restrictive security policy.
- For security reasons you should put your server behind a firewall that has port forwarding capability and configure it to only forward port 22 ingress (or whatever port you are using to forward to your host). You don't need the webserver port open since you are SSHing to the server and accessing it through the localhost.