How to configure access for an outside company to access a client-server app

I have a client running a client-server app on an XP Pro workstation; the server is Windows Server 2000.  

I need to give a small number of 3rd party companies (perhaps 2-3) access to run this particular application.

Whats the best way to allow these companies to run this app, while also securing the rest of the network from them?  I'd like performance to be 'decent' (as opposed to 'painfully-slow')?
thank you.
Who is Participating?
purplepomegraniteConnect With a Mentor Commented:
The VPN router is definitely the better option for these reasons:

- No extra overhead on the server, which means performance isn't affected.
- If anyone does try to hack the VPN, they are only attacking the Linksys box, not a server.  Server's tend to have more potential security holes than boxes, and in addition if someone were to succeed in hacking the VPN (unlikely of course), they would then still need to get past the server's security (i.e. domain log-ons).  Two tier defence is always better than one tier...

There are probably other reasons too, but that should be enough to justify it.  I can't think of any reasons that make the Windows 2000 server option more secure...
How does the client-server app operate?

If it opens a connection to the server on a specific port, then allowing remote access to just this app should be a case of opening this port on your firewall and forwarding the traffic to your server.  However, the problem with this is that the data wouldn't be encrypted, unless the client/server app itself takes care of this.

Could you provide more details of your app?
You could install a terminal server.  When they logon to the terminal server tell it to launch the program you want them to use.  This will limit them to the one application and nothing else.  When they logon to the server it will be almost as fast as if you were sitting in the office infront of that machine.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Assuming you don't want clients logged on locally to your server via terminal services, then purplepomegranite's post applies. You need to provide more details. Depending on the equipment you have you should be able to configure your router and firewall to work together to do what you need.

If this is not practical, another secure approach is to setup a VPN  using Microsoft's Routing and Remote Access services (Add/Remove Windows Components) and set up as many VPN connections as necessary. You could then create a policy for the VPN connection defining access for remote connections. For example, if you install RRAS on a separate Win2K server you could specify that VPN connections from your client (defined by Windows group and connection type) only has access to the required ports on the server hosting the application. However, keep in mind that when a user starts a VPN connection the VPN tunnel completely takes over the Internet connection and does not allow the user any other activity on the Internet. So given the configuration I describe, this will cut off the user's Internet connection while he has an active VPN connection to your network. If you enable the VPN connection to access your local gateway, then the VPN user would have Internet access, but this would be at the expense of all Internet traffic to the user being routed through your Internet connection--not ideal for you or the user.

stevekaluAuthor Commented:
I don't know how the client-server app works or what port(s) it uses, I can contact the vendor to find out.

Is it OK, in terms of security and not causing other problems, to have a terminal services connection right to the production server?  The client doesn't have the budget to setup a seperate box for W2k server just to act as a terminal server, though.

Would it be more secure to have an XP pro box that the companies could VPN into, then run the app. from there, or is that just adding an unncecessary layer?
thank you.
im with glebn on this one,,, the only way to really safely have them connect to your server is to have them access it over a VPN (opening the ports on your firewall that are needed would open the app to everyone and wouldn't be very secure).  Setting up the VPN "usually" isn't too hard.  the hardest part is usually opening the proper VPN ports on your firewall.

NOTE:  "keep in mind that when a user starts a VPN connection the VPN tunnel completely takes over the Internet connection and does not allow the user any other activity on the Internet"    this statement isn't 100% true.  It will be true if you use the built in windows VPN client with the default options since by default the "use gateway on remote network" is checked. Since this changes your computer's gateway your  computer doesn't "know" how to get out to the internet anymore.  To correct this all you have to do is uncheck the checkbox.  instructions for doing this are in the link below.  step 9 is the most important:
It is perfectly safe to provide services in ways other than a VPN - it depends entirely upon the service.  HTTPS is used to secure web applications, and people running secure web-servers certainly wouldn't want each of their clients to have a VPN into their system.

We need more information about the app to make any informed suggestion, I think.
stevekaluAuthor Commented:
OK, let me approach the question in a different way.  Which option is better from a security and performance standpoint, using a VPN router such as the Linksys BEFVP41 (includes an IPsec co-processor, cost of device is $130), or using the software-based VPN tools included with Windows 2000 server?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.