IST - DBA Customer Bastion Host Access HOWDOI

SQLC-PMAN03.ist.berkeley.edu     is the SQL Customer Bastion Host  . It has the SQL 2019 tools installed.

ORAC-PMAN01.ist.berkeley.edu     is the Oracle Customer Bastion Host with SQL Developer  .

dba-gateway.ist.berkeley.edu                 is the RDP gateway for reaching either Customer Bastion Host

Client Use:

You must submit a ticket to dbticket to be added to the security groups that allow access to the bastion hosts initially. As a best practice, using a pvt- account, created by your department's Active Directory OU admin, for privileged access is much preferable to your calnet account. Calnet credentials are often skimmed in phishing attacks or keyboard sniffers in unsafe computers. Since pvt- accounts are only for privileged access, they are much less likely to be compromised, especially if you use a secure campus client as your RDP client. Because they are used less, they also provide some log auditing benefits during a breach investigation as well. 

I believe the latest Mac client also supports RDP Gateways and they have a similar set of configuration items.

As of February 2020, Duo is now REQUIRED for accessing the dba-gateway.ist.berkeley.edu RDP gateway. When you log on, you will have to authenticate twice. The first login will require that you use Calnet credentials and do the duo 2-step. If you have a pvt- account, then you will use that for your second authentication when prompted, else if you don't use a pvt, use your calnet credential on the second login instead.

In the client settings,

Under general, the host to connect  is either

• SQLC-PMAN03.ist.berkeley.edu        (MSSQL)
• ORAC-PMAN01.ist.berkeley.edu       (Oracle)

On a typical windows RDP client:

Go to Advanced>

Go to Settings:  use   dba-gateway.ist.berkeley.edu   as the gateway

Also for full smartcard support, and sometimes a better RDP experience, Local Resources>

I usually uncheck "Printers", but you can consider using it. It is hit or miss with drivers sometimes.

Go to More> Select "Smart Cards"

Optionally select "Drives" c:. This is what allows the remote host to call back to your client c: drive for file transfer. Although is useful, and maybe required in some cases, it is best from a security standpoint not to use this approach; I am still weighing leaving this open or closing it in the GPO.  If you home machine had a virus .exe and you mapped your home drive for file transfer, and you clicked or copied virus.exe, you conceivably infect the remote system(server) although customers run in non-privileged mode to protect against this.  It is probably safest  for customers to copy and paste text only, but I will have to think through this as people use it . For now, we will allow it, but we will review this with SNS occasionally.

You can leave this setting for pretty much everything, and you can save it as a RDP saved connection if you want to use it sometimes and not others. Sometimes, I create different RDP icons on my desktop depending on what I'm doing.
 

Storing Files:

We do not guarantee files will be saved here. You can saves files in your profile, but please avoid large files or large amounts of data. Often profiles become corrupt or we have to free space by deleting user profiles. That is just life on a terminal server. So you can put stuff there as you need it but please keep your authoritative source somewhere on your system.