stevekalu
asked on
How to configure access for an outside company to access a client-server app
Hi,
I have a client running a client-server app on an XP Pro workstation; the server is Windows Server 2000.
I need to give a small number of 3rd party companies (perhaps 2-3) access to run this particular application.
Whats the best way to allow these companies to run this app, while also securing the rest of the network from them? I'd like performance to be 'decent' (as opposed to 'painfully-slow')?
thank you.
I have a client running a client-server app on an XP Pro workstation; the server is Windows Server 2000.
I need to give a small number of 3rd party companies (perhaps 2-3) access to run this particular application.
Whats the best way to allow these companies to run this app, while also securing the rest of the network from them? I'd like performance to be 'decent' (as opposed to 'painfully-slow')?
thank you.
You could install a terminal server. When they logon to the terminal server tell it to launch the program you want them to use. This will limit them to the one application and nothing else. When they logon to the server it will be almost as fast as if you were sitting in the office infront of that machine.
Assuming you don't want clients logged on locally to your server via terminal services, then purplepomegranite's post applies. You need to provide more details. Depending on the equipment you have you should be able to configure your router and firewall to work together to do what you need.
If this is not practical, another secure approach is to setup a VPN using Microsoft's Routing and Remote Access services (Add/Remove Windows Components) and set up as many VPN connections as necessary. You could then create a policy for the VPN connection defining access for remote connections. For example, if you install RRAS on a separate Win2K server you could specify that VPN connections from your client (defined by Windows group and connection type) only has access to the required ports on the server hosting the application. However, keep in mind that when a user starts a VPN connection the VPN tunnel completely takes over the Internet connection and does not allow the user any other activity on the Internet. So given the configuration I describe, this will cut off the user's Internet connection while he has an active VPN connection to your network. If you enable the VPN connection to access your local gateway, then the VPN user would have Internet access, but this would be at the expense of all Internet traffic to the user being routed through your Internet connection--not ideal for you or the user.
If this is not practical, another secure approach is to setup a VPN using Microsoft's Routing and Remote Access services (Add/Remove Windows Components) and set up as many VPN connections as necessary. You could then create a policy for the VPN connection defining access for remote connections. For example, if you install RRAS on a separate Win2K server you could specify that VPN connections from your client (defined by Windows group and connection type) only has access to the required ports on the server hosting the application. However, keep in mind that when a user starts a VPN connection the VPN tunnel completely takes over the Internet connection and does not allow the user any other activity on the Internet. So given the configuration I describe, this will cut off the user's Internet connection while he has an active VPN connection to your network. If you enable the VPN connection to access your local gateway, then the VPN user would have Internet access, but this would be at the expense of all Internet traffic to the user being routed through your Internet connection--not ideal for you or the user.
ASKER
I don't know how the client-server app works or what port(s) it uses, I can contact the vendor to find out.
Is it OK, in terms of security and not causing other problems, to have a terminal services connection right to the production server? The client doesn't have the budget to setup a seperate box for W2k server just to act as a terminal server, though.
Would it be more secure to have an XP pro box that the companies could VPN into, then run the app. from there, or is that just adding an unncecessary layer?
thank you.
Is it OK, in terms of security and not causing other problems, to have a terminal services connection right to the production server? The client doesn't have the budget to setup a seperate box for W2k server just to act as a terminal server, though.
Would it be more secure to have an XP pro box that the companies could VPN into, then run the app. from there, or is that just adding an unncecessary layer?
thank you.
im with glebn on this one,,, the only way to really safely have them connect to your server is to have them access it over a VPN (opening the ports on your firewall that are needed would open the app to everyone and wouldn't be very secure). Setting up the VPN "usually" isn't too hard. the hardest part is usually opening the proper VPN ports on your firewall.
NOTE: "keep in mind that when a user starts a VPN connection the VPN tunnel completely takes over the Internet connection and does not allow the user any other activity on the Internet" this statement isn't 100% true. It will be true if you use the built in windows VPN client with the default options since by default the "use gateway on remote network" is checked. Since this changes your computer's gateway your computer doesn't "know" how to get out to the internet anymore. To correct this all you have to do is uncheck the checkbox. instructions for doing this are in the link below. step 9 is the most important:
http://edserv05.its.yale.edu/ras/vpnwin2000.htm
NOTE: "keep in mind that when a user starts a VPN connection the VPN tunnel completely takes over the Internet connection and does not allow the user any other activity on the Internet" this statement isn't 100% true. It will be true if you use the built in windows VPN client with the default options since by default the "use gateway on remote network" is checked. Since this changes your computer's gateway your computer doesn't "know" how to get out to the internet anymore. To correct this all you have to do is uncheck the checkbox. instructions for doing this are in the link below. step 9 is the most important:
http://edserv05.its.yale.edu/ras/vpnwin2000.htm
It is perfectly safe to provide services in ways other than a VPN - it depends entirely upon the service. HTTPS is used to secure web applications, and people running secure web-servers certainly wouldn't want each of their clients to have a VPN into their system.
We need more information about the app to make any informed suggestion, I think.
We need more information about the app to make any informed suggestion, I think.
ASKER
OK, let me approach the question in a different way. Which option is better from a security and performance standpoint, using a VPN router such as the Linksys BEFVP41 (includes an IPsec co-processor, cost of device is $130), or using the software-based VPN tools included with Windows 2000 server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If it opens a connection to the server on a specific port, then allowing remote access to just this app should be a case of opening this port on your firewall and forwarding the traffic to your server. However, the problem with this is that the data wouldn't be encrypted, unless the client/server app itself takes care of this.
Could you provide more details of your app?