Schools that host FrogLearn locally (i.e. on a Frog server or on a school VM instance) can now have Secure Gateway as an additional service.
What is Secure Gateway?
Secure Gateway allows users to access applications remotely via a host PC within the school. The user experience for someone at home would be as though they were actually sat down in front of the machine in school. This service is normally used by schools who want to give their students and staff access to bespoke applications that would normally be unavailable to the average home user.
How a User Connects:
When a user tries to connect using Secure Gateway, the IP address of the Remote Users Computer (from home) tries to connect to the Frog Server via port 2001 on the Frog Server (hence this needs to be opened on the Frog).
The Frog Server then tries to connect to the specific workstation IP (or one out of a pool) that is selected via port 3389 (if this is closed the frog server wont connect to the local machines).
If a POOL is selected then the server will work its way through the named workstations and a processes running on these machines will inform the Frog Server if a user is currently logged in. If this is the case then the user externally will be unable to connect to this internal machine.
- A reverse proxy is preventing the Frog server from being able to see the IP address of the remote user connecting and instead only shows the IP of the reverse proxy to the frog box (where port 2001 is likely disabled).
- Remote Desktop is not enabled on the internal machines. This is typically done in the Advanced settings if you go to Properties on MyComputer, in the Remote area or Advanced area depending on the operating system.
- Port 2001 is not open on the Frog server meaning that the Remote user cannot connect to the Frog Server.
- Port 3389 is not open on the Frog Server meaning that the Frog Server cannot connect to the internal workstations.
Please see below the pre-requisites for Secure Gateway to work successfully.
- Enable port forwarding (2001/TCP) from the external IP address of the Frog server on your firewall / gateway to the internal IP address of your Frog server on your LAN / DMZ. Much like port 80/TCP and 443/TCP are configured for your current Frog service. If port 2001/TCP is in use then please use any other available unprivileged port. This information will need to be passed on to the Frog Service Desk for configuration.
- Installation of the Frog WMI Query Service. This service allows the Secure Gateway system to determine whether or not a PC is in use. The service must be installed on a server that can contact all PCs or servers that a user wishes to use Secure Gateway with, generally this would be the Domain Controller. The service will also require the username and password of an account that can carry out the WMI queries on the network. By default the Frog WMI Query Service runs on port 8888/TCP. However, this can be altered should another service on your server have this in use. The Frog WMI Query Service can be downloaded here.
- Ensure that the host PCs within the school have Remote Desktop enabled and are configured to allow users to login remotely.
- Contact the Frog Service Desk on 01422 395 939 or email@example.com to activate Secure Gateway.
Activate Secure Gateway configuring the following defaults for the Frog server:
- External IP address of the Frog server.
- External port to be used for Secure Gateway traffic from the user to the Frog server. This by default will be port 2001/TCP unless specified otherwise by the school.
- Internal IP address of the Frog server.
Setup Secure Gateway
Once the Service Desk has activated Secure Gateway there will be additional elements for the school administrator to configure. Navigate to the FrogBar at the top of the platform, click on you login initials then go to System Preferences > Secure Gateway > Configuration.
When the Secure Gateway Configuration page displays, so will all of the default information about your Frog server.
If the Frog WMI Query Service has been configured then please enter in the details as below and then click on the Save button.
WMI Host - The hostname of the server where the Frog WMI Query Service has been installed. This normally would be the domain controller within your school.
WMI Port - The port that has been configured for the Frog WMI Query Service. By default this will be port 8888/TCP unless modified by the administrator.
Next the administrator will need to create rules. Rules are created to manage PCs that can be accessed within your school. Access to the rules can be further broken down to individual users or groups. To create a rule, navigate to the Frog Head > System Preferences > Secure Gateway >Rules.
When the Secure Gateway Rules page opens, click on the Add new rule button.
The Edit rule window will appear. Enter the PCs as well as appropriate users / groups that are to have access via Secure Gateway as per the fields below:
Description - Enter a description for the PC or pool of PCs that will be accessible to users.
Hosts - Enter the internal IP address for a single PC and then click on the + button. If a pool of PCs are to be made available then add in the next IP address and click on the + icon.
Port - By default port 3389/TCP will be used unless specified differently.
Users - Enter the individual user or group of users to have access.
Once happy with the information entered, click on the Save button.
When the rule saves FrogLearn will check that the IP address is available on the port specified (by default this is port 3389/TCP). If successful then the rule will be added to the list of Secure Gateway Rules as shown below.
Multiple rules can be added by selecting the Add new rule button. To modify an existing rule click on the Edit button, or the Delete button to remove an existing rule.
Once logged in to Frog, a user can access a PC within the school by navigating to the Frog Head > My Preferences > Secure Gateway.
A list of the available connections will be displayed. Click on the Enable button to activate the connection.
A list of instructions will appear advising the user how to connect to the PC host within the school using Remote Desktop client from their local machine.