Hello,
I am working on establishing communication between a client and server using the Ziti Router with a tunneler on the server side and the Ziti Desktop edge Tunneler on the client side. Here is my network topology:
Both the Router and the Windows machine have been successfully enrolled with the controller. My goal is for the user on the Windows machine to access the SSH service on the SSH server and RDP to the RDP server.
I followed the guide Use a Router as a Local Gateway | OpenZiti
where the router is only deployed on the server side. However, I need support to complete the scenario.. I attempted to enable the service using zac, and I can see the service enabled on the Windows machine's tunneler.
Could you please assist me in ensuring that the Windows machine user can successfully access the SSH and RDP services?
Currently i followed the following guide where i deployed 2 Ziti router with tunneler enabled on both sides. Use a Router as a Local Gateway | OpenZiti
I used RDP instead of using http service. It is working successfully but when i tried ssh service it always showed me the connection refused message. Although when i did nslookup it showed the exact result as shown in guide but it is not working with ssh.
As a checklist,
Did you create a separate SSH service with port 22, or a host service with all ports?
Did you set the policies to make sure the edge routers have proper Dial/Bind access?
I would run the policy-advisor on the Controller to make sure, it's easier than verifying everything by hand. (ziti edge policy-advisor services )
On the node you are accessing, is there access from the Edge Router to the target? (I would log in to the Edge Router directly and attempt to ssh to the target to see if the issue is with OpenZiti or the local setup)
If you don't figure it out with those, post up the service configs, etc. and the policy-advisor output and we have a better chance of figuring out what's going on.
Hello Mike
i created the SSH service with port 22.
Yes i set the policies with Dial/Bind access. Here is the output from policy advisor services. Higlighted is the service for SSH.
Hello Mike,
The issue have solved by creating another ssh service and then create the bind and dial policy. Now i am able to ssh my server.
Thanks for the support.
Are the configs, host and intercept correct? No typos? This all looks good to me.
Are you initiating from the 172.18.18.250 router, or the .10 device? I'm trying to map the identity names to the devices in the drawing, and not sure exactly what is what. You have the test03 device to dial the RDP service, but moved to attributes for the SSH service, so it could be the identity or service attributes, one or the other isn't 100% correct.
The other thing is are you logging events? The fabric.circuit message could give a clue as well. It will have a failure cause if it is being rejected, or it won't be there if it is never dialing for some reason.
The ssh session initiate on 172.18.18.10 which is windows machine.
Can you please guide me how to enable the logging events and how to check on cli and on ZAC?
There's a ton of things you can log, but this should get it started with the fabric circuits. There is doc on the site if you want to learn more about that.
As far as review, you'll either have to import them into something, or just read the json. Given this is a test setup, you can probably just use a text editor, or cat the log to jq on the system. What you are looking for is the failure_cause. That will tell you why it failed. If there isn't one at the time you test, then it didn't dial at all. You'll have to use the service id from the list services to make sure it's the right one, the names aren't logged.
Back to the issue, if you are initiating from the Windows machine, but it appears the gateway router is what has Dial permissions, how are you routing from the Windows box to the router?
