Tunelling through a Firewall

Hello experts,

I REALLY need help with tunnelling through a firewall.

The setup is as follows:
I have a server within the company lan. Outside in the big ugly real world i have some clients. Now, i need to establish and maintain a VPN (PPTP protocol) from the server to each client. The server knows the IP address of each client.

This connection might pass through a proxy and might pass through a firewall. However i do not want to make any "holes" through these devices. Can this be done. Perhaps by tunelling through port 80.

Regards Søren
Who is Participating?
Try PoPToP from Moreton Bay.  (www.moretonbay.com)

I use it here and it works very well.  Works seamlessly with Windows because it uses Microsoft's own VPN client.  I have the PoPToP software installed on the firewall along with pppd.  It'll give the autenticated user an IP on the internal network and proxyarp for them.

It's not as secure as something like Linux S/WAN (the PoPToP site explains this, it is a problem with Microsoft's VPN implementation, not PoPToP), but it is "good enough" for our travelling sales critters and I believe if you're willing to sacrifice the "plug and go", it is fully securable under Windows.  I use the S/WAN implementation for our office-to-office links because those connections are more or less permanent VPN connections and I don't need to bother with Microsoft.

At any rate, PoPToP will allow authenticated outside users to gain access to the internal network (Windows/Samba shares, access to printers, whatever you allow really) in an encrypted and secure fashion from anywhere in the world.  PoPToP also provides some decent logs.
Sounds interesting to me. But I have never had to do it this way.
You may need dedicated hardware.
Modem and RAS is easier for Local stuff.
What kind of firewall? The preferred solution from a security standpoint is to have the firewall or a VPN router outside of the firewall establish the connection. Any method that places the local endpoint of the VPN inside of the firewall requires opening an inbound hole through the firewall... Not good! A Cisco pix can do IPSec VPNs and Checkpoint can do their proprietary VPN directly and safely. Placing a properly configured VPN router outside of the fire wall is also safe as only "known good" connections will be coming from the "inside" interface of the router and they can be permittted to pass unhindered through the firewall.
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

svjAuthor Commented:
The server within the company LAN is actually a piece of dedicated hardware. This excludes the use of RAS.

I do not know which kind of firewall i'm dealing with. The project i'm working on is to be deployed in any company. My advatages is, maybe, that the pptp connection through the firewall is outbound.

Up until now, i've thougt that placing the server behind the firewall was my key to establishing connections to my clients through the firewall. I know the clients IP addresses, which should make me able to establish the connection. Once the connection is established, it should be kept alive in order to let the clients signal directly to the server (max. latency 3 seconds under normal conditions).

However this is probably what a hacker would do. That is, sending a small program via email, which establishes connection to some "mother" outside. This leads me to beleive that "up to date" firewalls would kill such an outbound connection.
svjAuthor Commented:
Adjusted points from 200 to 300
What you need is client-based VPN between your router/firewall and the clients coming in from Internet. For example,  if you are using CheckPoint Firewall-1/VPN-1 firewall, then you need to install SecureRemote on the client PC's. After configuring the both ends, you basically establish VPN's between the firewall and the clients using IKE/IPSEC. For more detail, please refer to http://support.checkpoint.com/service/publisher.asp?id=55.0.4222079.2607206. Cisco PIX firewall has same feature built in. If you have Cisco router with IPSEC/3DES/VPN feature such as 7100 series for your company Internet connection, you can establish client-based VPN between the router and the clinets. For detail, visit Cisco website at http://www.cisco.com.
Seems like  I missed an email notification... or two. The proposed answer triggered one but not your last two comments...

If the server inside the firewall is going to always be the one to initiate the connection then there is little risk of subversion of the connection, nor do you have to "tunnel through the firewall". Generally speaking, inside clients can open connections to the outside as desired and on what ever outbound port is wanted. There are situations where outbound ports are restricted for administrative reasons, say to block ICQ or FTP, etc.

Reading between the lines, it sounds like you are going to be creating some unique application and the appropriate client SW that talks to the appplication. Without knowing more about the service that will run over the PTP link it's hard to say whether you could use the port 80 (or better yet 443). Some proxies & firewalls expect any use of those ports to actually look like web traffic and might reject or otherwise have problems passing something that doesn't look like a web stream. Now if, the data stream can follow the same protocol as an SSL encrypted web stream, then it should work just fine.
svjAuthor Commented:
Sorry for the long silence, but i've attended a conference in New Orleans.

My client is also dedicated hardware. That is, it is not possible to run some out-of-the-box firewall/client VPN. The VPN must be set up between the client and a server residing behind the Firewall.

I'm sorry for the bit by bit information, but my boss would chop of my fingers if i revealed to much about the project.

jlevie's suggestion about SSL might just work. I have to look into that.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.