How to configure access for an outside company to access a client-server app

Posted on 2005-04-25
Medium Priority
Last Modified: 2010-04-10
I have a client running a client-server app on an XP Pro workstation; the server is Windows Server 2000.  

I need to give a small number of 3rd party companies (perhaps 2-3) access to run this particular application.

Whats the best way to allow these companies to run this app, while also securing the rest of the network from them?  I'd like performance to be 'decent' (as opposed to 'painfully-slow')?
thank you.
Question by:stevekalu
LVL 24

Expert Comment

ID: 13859748
How does the client-server app operate?

If it opens a connection to the server on a specific port, then allowing remote access to just this app should be a case of opening this port on your firewall and forwarding the traffic to your server.  However, the problem with this is that the data wouldn't be encrypted, unless the client/server app itself takes care of this.

Could you provide more details of your app?
LVL 13

Expert Comment

ID: 13859881
You could install a terminal server.  When they logon to the terminal server tell it to launch the program you want them to use.  This will limit them to the one application and nothing else.  When they logon to the server it will be almost as fast as if you were sitting in the office infront of that machine.

Expert Comment

ID: 13860137
Assuming you don't want clients logged on locally to your server via terminal services, then purplepomegranite's post applies. You need to provide more details. Depending on the equipment you have you should be able to configure your router and firewall to work together to do what you need.

If this is not practical, another secure approach is to setup a VPN  using Microsoft's Routing and Remote Access services (Add/Remove Windows Components) and set up as many VPN connections as necessary. You could then create a policy for the VPN connection defining access for remote connections. For example, if you install RRAS on a separate Win2K server you could specify that VPN connections from your client (defined by Windows group and connection type) only has access to the required ports on the server hosting the application. However, keep in mind that when a user starts a VPN connection the VPN tunnel completely takes over the Internet connection and does not allow the user any other activity on the Internet. So given the configuration I describe, this will cut off the user's Internet connection while he has an active VPN connection to your network. If you enable the VPN connection to access your local gateway, then the VPN user would have Internet access, but this would be at the expense of all Internet traffic to the user being routed through your Internet connection--not ideal for you or the user.


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 13861307
I don't know how the client-server app works or what port(s) it uses, I can contact the vendor to find out.

Is it OK, in terms of security and not causing other problems, to have a terminal services connection right to the production server?  The client doesn't have the budget to setup a seperate box for W2k server just to act as a terminal server, though.

Would it be more secure to have an XP pro box that the companies could VPN into, then run the app. from there, or is that just adding an unncecessary layer?
thank you.
LVL 25

Expert Comment

ID: 13861343
im with glebn on this one,,, the only way to really safely have them connect to your server is to have them access it over a VPN (opening the ports on your firewall that are needed would open the app to everyone and wouldn't be very secure).  Setting up the VPN "usually" isn't too hard.  the hardest part is usually opening the proper VPN ports on your firewall.

NOTE:  "keep in mind that when a user starts a VPN connection the VPN tunnel completely takes over the Internet connection and does not allow the user any other activity on the Internet"    this statement isn't 100% true.  It will be true if you use the built in windows VPN client with the default options since by default the "use gateway on remote network" is checked. Since this changes your computer's gateway your  computer doesn't "know" how to get out to the internet anymore.  To correct this all you have to do is uncheck the checkbox.  instructions for doing this are in the link below.  step 9 is the most important:

LVL 24

Expert Comment

ID: 13862956
It is perfectly safe to provide services in ways other than a VPN - it depends entirely upon the service.  HTTPS is used to secure web applications, and people running secure web-servers certainly wouldn't want each of their clients to have a VPN into their system.

We need more information about the app to make any informed suggestion, I think.

Author Comment

ID: 13958416
OK, let me approach the question in a different way.  Which option is better from a security and performance standpoint, using a VPN router such as the Linksys BEFVP41 (includes an IPsec co-processor, cost of device is $130), or using the software-based VPN tools included with Windows 2000 server?
LVL 24

Accepted Solution

purplepomegranite earned 2000 total points
ID: 13958865
The VPN router is definitely the better option for these reasons:

- No extra overhead on the server, which means performance isn't affected.
- If anyone does try to hack the VPN, they are only attacking the Linksys box, not a server.  Server's tend to have more potential security holes than boxes, and in addition if someone were to succeed in hacking the VPN (unlikely of course), they would then still need to get past the server's security (i.e. domain log-ons).  Two tier defence is always better than one tier...

There are probably other reasons too, but that should be enough to justify it.  I can't think of any reasons that make the Windows 2000 server option more secure...

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question