Alpiqs intranet is accessible via their CheckPoint NTLM VPN+local ntlm proxy server. There is a cntlm service running and listening only on localhost (its somehow running as an admin service idk how, I dont have admin rights on the windows machine) (https://github.com/versat/cntlm). The cntlm proxy authenticates via NTLM and translates the proxy to a raw http/s proxy accessible on 127.0.0.1:3128 This is documented on the official Alpiq confluence.
How do we securely connect to the ntlm proxy without admin rights or port forwarding?
We run another proxy + wireguard tunnels in WSL where we do have admin access. (on the alpiq machine)
- The tool of choice is the end-to-end encrypted and carefully audited Tailscale VPN.
- The tailscale connectors runs as a root service inside the bridge networked WSL instance. Proxying localhost:3128 (the cntlm http proxy from the windows host) via a wireguard tunnel to authorized members on the tailscale network (me and Balints mac). The access is brokered on a Zero trust basis, using explicit grants .
SSL?
- Tailscale provides SSL certificates so traffic is encrypted from the macs all the way until the Alpiq Machine.