Tunelling through a Firewall

Posted on 2000-04-07
Last Modified: 2010-04-11
Hello experts,

I REALLY need help with tunnelling through a firewall.

The setup is as follows:
I have a server within the company lan. Outside in the big ugly real world i have some clients. Now, i need to establish and maintain a VPN (PPTP protocol) from the server to each client. The server knows the IP address of each client.

This connection might pass through a proxy and might pass through a firewall. However i do not want to make any "holes" through these devices. Can this be done. Perhaps by tunelling through port 80.

Regards Søren
Question by:svj
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 63

Expert Comment

ID: 2694098
Sounds interesting to me. But I have never had to do it this way.
You may need dedicated hardware.
Modem and RAS is easier for Local stuff.
LVL 40

Expert Comment

ID: 2694229
What kind of firewall? The preferred solution from a security standpoint is to have the firewall or a VPN router outside of the firewall establish the connection. Any method that places the local endpoint of the VPN inside of the firewall requires opening an inbound hole through the firewall... Not good! A Cisco pix can do IPSec VPNs and Checkpoint can do their proprietary VPN directly and safely. Placing a properly configured VPN router outside of the fire wall is also safe as only "known good" connections will be coming from the "inside" interface of the router and they can be permittted to pass unhindered through the firewall.

Author Comment

ID: 2699745
The server within the company LAN is actually a piece of dedicated hardware. This excludes the use of RAS.

I do not know which kind of firewall i'm dealing with. The project i'm working on is to be deployed in any company. My advatages is, maybe, that the pptp connection through the firewall is outbound.

Up until now, i've thougt that placing the server behind the firewall was my key to establishing connections to my clients through the firewall. I know the clients IP addresses, which should make me able to establish the connection. Once the connection is established, it should be kept alive in order to let the clients signal directly to the server (max. latency 3 seconds under normal conditions).

However this is probably what a hacker would do. That is, sending a small program via email, which establishes connection to some "mother" outside. This leads me to beleive that "up to date" firewalls would kill such an outbound connection.
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.


Author Comment

ID: 2707158
Adjusted points from 200 to 300

Expert Comment

ID: 2713224
What you need is client-based VPN between your router/firewall and the clients coming in from Internet. For example,  if you are using CheckPoint Firewall-1/VPN-1 firewall, then you need to install SecureRemote on the client PC's. After configuring the both ends, you basically establish VPN's between the firewall and the clients using IKE/IPSEC. For more detail, please refer to Cisco PIX firewall has same feature built in. If you have Cisco router with IPSEC/3DES/VPN feature such as 7100 series for your company Internet connection, you can establish client-based VPN between the router and the clinets. For detail, visit Cisco website at
LVL 40

Expert Comment

ID: 2713828
Seems like  I missed an email notification... or two. The proposed answer triggered one but not your last two comments...

If the server inside the firewall is going to always be the one to initiate the connection then there is little risk of subversion of the connection, nor do you have to "tunnel through the firewall". Generally speaking, inside clients can open connections to the outside as desired and on what ever outbound port is wanted. There are situations where outbound ports are restricted for administrative reasons, say to block ICQ or FTP, etc.

Reading between the lines, it sounds like you are going to be creating some unique application and the appropriate client SW that talks to the appplication. Without knowing more about the service that will run over the PTP link it's hard to say whether you could use the port 80 (or better yet 443). Some proxies & firewalls expect any use of those ports to actually look like web traffic and might reject or otherwise have problems passing something that doesn't look like a web stream. Now if, the data stream can follow the same protocol as an SSL encrypted web stream, then it should work just fine.

Author Comment

ID: 2768205
Sorry for the long silence, but i've attended a conference in New Orleans.

My client is also dedicated hardware. That is, it is not possible to run some out-of-the-box firewall/client VPN. The VPN must be set up between the client and a server residing behind the Firewall.

I'm sorry for the bit by bit information, but my boss would chop of my fingers if i revealed to much about the project.

jlevie's suggestion about SSL might just work. I have to look into that.

Accepted Solution

tzanger earned 300 total points
ID: 2826200
Try PoPToP from Moreton Bay.  (

I use it here and it works very well.  Works seamlessly with Windows because it uses Microsoft's own VPN client.  I have the PoPToP software installed on the firewall along with pppd.  It'll give the autenticated user an IP on the internal network and proxyarp for them.

It's not as secure as something like Linux S/WAN (the PoPToP site explains this, it is a problem with Microsoft's VPN implementation, not PoPToP), but it is "good enough" for our travelling sales critters and I believe if you're willing to sacrifice the "plug and go", it is fully securable under Windows.  I use the S/WAN implementation for our office-to-office links because those connections are more or less permanent VPN connections and I don't need to bother with Microsoft.

At any rate, PoPToP will allow authenticated outside users to gain access to the internal network (Windows/Samba shares, access to printers, whatever you allow really) in an encrypted and secure fashion from anywhere in the world.  PoPToP also provides some decent logs.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question