Access from external Computers

SSH (secure shell) is a recommended program for login to remote hosts. SSH transmits the login information (username and password) in encrypted form over the network. This way nobody listening on the network is able to collect and misuse this confidential information.

An SSH tunnel should be used prioritised instead of VPN to connect to the internal network for security reasons. Please see SSH vs. VPN by D4 (web site is only available from the internal network and only in German language)

Preliminaries

To use SSH an SSH client has to be available on client site (e. g. PuTTY on Windows computers) and an SSH daemon must run on the server on which the user wants to connnect to or through (e.g. bastion.desy.de as gateway host). Both conditions are already fullfilled on all Linux hosts. As SSH client program PuTTY can be installed on Windows computers.

Computer Name

In addition to the technical preliminaries you also have to know the name of the computer you want to connect to. How to determine the name of your computer using Windows can be read on the following web site: http://it.desy.de/services/uco/documentation/external_access. If you want to use the central Windows terminal server you have to use winterm.desy.de.

Needed Programs

PuTTY

If you are using a DESY Windows computer, you may install PuTTY via NetInstall / DSM. Otherwise, if you are using a private Windows device please download it from the official web site: https://putty.org/

FastX 2

If you want to get a graphical connection to a Linux computer you need a FastX 2 client as well as a FastX 2 server on the remote site. The client can be installed via NetInstall / DSM on DESY Windows devices. If you are not using a DESY computer, you may download the client via our DESY web sites, here the FastX 2 server is also available and has to be installed on the remote device. Please use the newest version which is available there!

Please note that central work group servers like e.g. pal.desy.de already offer a FastX 2 server, so these nodes can be used to connect via FastX 2 clients.

XfreeRDP

XfreeRDP is an Remote Desktop client available on Linux computers which can be used via the command 'xfreerdp'. It is necessary to establish a graphical connection from Linux to Windows computers via RDP. Normally XfreeRDP is available on all DESY Linux computers by default. Otherwise it can be installed via the system package manager using the standard repos. So no explicit download should be necessary to get this package.

Needed Permissions

Permissions on your personal DESY Windows Computer

To connect to a Windows computer remotely you either must have administrative permissions for that computer or your account have to be member of the remote desktop users group on it. So if the connection is not possible, you may not have the needed permissions to connect to this computer. A corresponding error message would hint you to this fact.

So please refer to one of your responsible Windows group administrators to ensure that all settings and permissions are set, to enable you in general to connect to the Windows computer in question.

Permissions on Winterm

Please note that permissions to connect to the central Windows terminal server winterm.desy.de are given by the UCO. So if you want to connect to the central Windows terminal server, please refer to Email: uco@desy.de or Ext. 5005. More information on the Windows Terminal Server can be found on the following web site:
https://it.desy.de/services/login/win_ts/

Usage of bastion.desy.de as Gateway

To connect to a computer which is located within the DESY intranet, a connection via the gateway computer bastion.desy.de is normally necessary, because all other computers are not reachable from outside. Therefore bastion.desy.de has to be used as agent between devices within and outside the DESY network.

It is possible to reach bastion.desy.de from outside the DESY network from outside, however it can only be used as gateway for SSH tunnels or as hop to other Linux computers and not for general working purposes, since only a minimum of commands is available on it.

Therefore it is necessary to connect to another computers after establishing a connection to bastion.desy.de. Maybe to a personal Linux computer  or on central computer clusters like pal.desy.de which can be used for general working purposes as central computing ressource.

Usage of SSH

The SSH man pages explain the possibilities of SSH in detail, but a  complete understanding of SSH is not necessary for the daily usage. The most frequently needed use cases of SSH are documented below.

For special use cases within the scientific computing environment, separate documentation is available which describes SSH connections using FastX 2 to the central computing cluster. These can be found at:

 

MacOS

The follogin introductions are only about the connection between Linux and Windows devices. Information about remote connections from / to MacOS can be found on the following web site:

 

Instructions

Windows -> Windows

fig.1

fig. 2

Important: To proceed with the following instructions you need PuTTY available on your PC as well as permissions to connect to the remote Windows PC. See chapter "Needed Programs" and "Needed Permissions" on this web site!

Configure the SSH Tunnel using PuTTY

  1. Start PuTTY
  2. Enter bastion.desy.de into the text field "Host Name (or IP address)"
  3. Check whether the standard settings "Port" and "Connection Type" are set to 22 and SSH
  4. Change to categorie SSH Tunnels.  Here enter the "Source Port". This is the port of the external PC, which you are going to forward to the port of your local PC.
  5. Here port number 8006 is selected. It is possible to choose ports between 5000–65535, which are generally available and are not used by other applications.
  6. Under "Destination" indicate the computer name you want to connect to, followed by a colon and the port number 3389. E. g. winterm.desy.de:3389, to reach the central terminal server (fig.2). Hint: 3389 is the default port for remote desktop connections.
  7. Click on  "Add". The sessionhas now been established and must be saved (fig.3).

 

Save the Session

  1. Go back to Session.
  2. Indicate any name under "Saved Sessions" to select the session again later. Here "Meine Session" has been selected.
  3. Click on "Save". (fig. 3)

 

fig. 3

Open the SSH Tunnel

  1. Click on "Open". A new window will open.
  2. Enter your username and password when prompted. Hint: The password is not visible during typing!

 

fig. 4

Start the Remote Desktop Clients

  1. Open the Remote Desktop Client on your Windows PC  Start → All Programs → Accessories → Remote Desktop Connection
  2. In the field "Computer" indicate: localhost:8006 (or the corresponding "Source Port", which you chose  in PuTTY)
  3. Click "connect" and enter your password when prompted.

 

Hints

  • If you should get a certificate warning, agree by clicking on "Yes".
  • If the connection cannot be established successfully, please check in the RDP connection options whether the domain is set in the text field for the user name. To open the options click on the link "view options" within the RDP connection window (see fig. 4). The username should be entered as follows: WIN\username

 

Windows -> Linux WITH graphical Interface

fig.1

fig. 2

Important: To proceed with the following instructions you need PuTTY as well as FastX 2 available on your PC. See chapter "Needed Programs" above on this web site.

Configure the SSH Tunnel using PuTTY

  1. Start PuTTY
  2. Enter bastion.desy.de into the text field "Host Name (or IP address)"
  3. Check whether the standard settings "Port" and "Connection Type" are set to 22 and SSH
  4. Change to categorie SSH Tunnels.  Here enter the "Source Port". This is the port of the external PC, which you are going to forward to the port of your local PC.
  5. Here port number 5000 is selected. It is possible to choose ports between 5000–65535, which are generally available and are not used by other applications.
  6. Under "Destination" indicate the Linux computer name you want to connect to, followed by a colon and the port number 22 (fig.2).
  7. Click on  "Add". The sessionhas now been established and must be saved (fig.3).

 

 

Save the Session

  1. Go back to Session.
  2. Indicate any name under "Saved Sessions" to select the session again later. Here "Meine Session" has been selected.
  3. Click on "Save". (fig. 3)

 

fig. 3

 

Open the SSH Tunnel

  1. Click on "Open". A new window will be opened.
  2. Probably you might get a Pop-Up with the  PuTTY Security Alert meassage, which you can confirm with "yes" .
  3. Enter user name and password.

 

fig. 4

 

FastX 2

  1. Start FastX 2
  2. Click on the plus symbol on the right upper corner of the window and select SSH to configure the connection
  3. Enter any name for the connection (here it has been named "SSH Verbindung")
  4. Enter localhost into the text field "Host" and the local port you used for the tunnel in PuTTY. In this case it has to be 8006
  5. Afterwards click on "Save" (fig. 4)
     
  6. Enter your username and password when prompted for it
  7. In the next window, again, click on the plus symbol on the right upper corner to establish the connection
  8. You will be asked to chose the so called "Window Manager", XFCE is the recommended one. As soon as you chose a Window Manager the connection will be established immediately.

 

 

Windows -> Linux WITHOUT graphical Interface

Important: To proceed with the following instructions you need PuTTY available on your PC. See chapter "Needed Programs" above on this web site.

Establish a Connection via PuTTY

The settings which are described below are visible in the picture on the right.

  1. Run PuTTY
  2. Type bastion.desy.de into the text field "Host Name (or IP address)"
  3. If needed enter a Session Name into the text field "Saved Sessions" and click on "Save"
  4. Start the SSH connection by clicking on "Open"

 

After you logged in to bastion.desy.de successfully, please use the command ssh pal.desy.de to connect to pal.desy.de in the next step or use another Linux computer name instead of pal.desy.de to connect to e.g. your personal Linux PC.

 

Linux -> Windows

Important: To proceed with the following instructions you need XfreeRDP available on your PC as well as permissions to connect to the remote Windows PC. See chapter "Needed Programs" and "Needed Permissions" above on this web site.

  1. Open a Console / Terminal
  2. Establish the SSH Tunnel using the following command:
ssh -L 8006:winterm.desy.de:3389 -l username bastion.desy.de

  1. Afterwards establish the Remote Desktop Session using the following command:
xfreerdp /u:username /d:win /v:localhost:8006

Note: The local port 8006 is only an example. You may chose another one between 5000 and 65535 for yourself. Furthermore you may chose another Windows computer you like instead of using winterm.desy.de as destination host. Exchange username by your personal DESY account name in every command!

If the Linux computer you connect from is already connected to the internal network, you may directly connect to the Windows computer using RDP (step 3). An SSH Tunnel via the gateway is not necessary in that case, so you may ignore step 2.


Support

If you need support for establishing your connection or should have questions, please refer to the UCO with as detailed information as possible as well as information about the involved devices and its device names. Email: uco@desy.de, Ext: 5005.