Socket program in Proxy, firewall environment

Hi Experts,

Working on  a VOIP chat program (client and server) in VB , and which is running fine. I used winsock control with TCP config.
 Multiple user can connect to the server (which is listening to a Static IP) and invite other for a talk session.

The only (and big) problem that the application facing when a client is running
- in a proxy  network
- behind a firewall/Router.

Though it can communicate to the VOIP server application using the static IP but it is not able to connect/invite  other client (also running in a LAN).

How to solve the problem? How to use winsock in for Proxy authentiation?
Also is there any code to use port 80 (by subnetting) fpr TCp data exchange?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


I don't believe that you can programmatically configure it to allow someone behind a router/firewall/LAN, to 'invite' someone else... It would require that the user configures his router/firewall/[gateway on his LAN] such that this can work...
I assume that to perform a "connect/invite", the other workstation attempts to connect directly to the initial workstation based on the IP and port registered at the server?  There are a number of problems you will face:

1) the proxy and firewall will typically change your IP and port (via NAT and PAT address translation), thus the IP and port you register cannot be the IP and port that the initial workstation believes it to be (which is often only valid inside the LAN, such as a IP), it must be the IP that the NAT/PAT translated you into.  For example, if you go to a DOS window and do ipconfig, you will see what your machine thinks it's ip address is, but if you are behind a proxy or firewall and go to it may show you an entirely different IP address.

2) Typical proxy/firewall configurations will not allow unsolicited inbound traffic, it will only allow responses to outbound traffic.  e.g. the second workstation cannot get in, even if it uses the correct IP/port address.

3) Some firewalls will verify that traffic is the appropriate type, thus even if you use port 80, it might have to be valid HTTP packets.

You might be able to use a VPN solution, where the outside machines look like they are actually on the LAN and hides the fact they are outside.  You could redesign your app so that it only uses query/response traffic through the server, which might be horribly slow.  You might even be willing to reconfigure the proxy/firewall to create a hole that allows inbound traffic from specific known IP address to the appropriate port with some sort of authentication mechanism.  The later being a security hole that many organizations may not tolerate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
To add to JohnBPrice's comments:

VPN seems like an overkill here. Aside from the fact that it will open your internal network to all those that connect to you.

Connections are possible if you have an outside IP address. An inside address is one that is not routed across the internet. They consist of the following numbers: 192.168.x.x, 172.16.x.x, 10.x.x.x.

Anytime your computer has one of those addresses, it will be changed to a different address before it gets out to the internet.

Having said that, lets address your problem. It has several facets. One is your connection to the internet, direct or translated and the same with the connecting client. Then there are firewalls that have to be scaled.

If you have a translated address on your server, all your outbound conections will work fine. The inbound connections won't be able to find you. What you need to do is set up portmapping (standard feature in Linux - probably offered somewhere in Windows - probably for money). You will be telling the gateway computer (the one with the firewall) that all connection arriving on a specific port will need to ba passed through to your server at IP x.x.x.x and port p. Then, you will be able to recieve all connections.

Now for your clients...
If they are connected directly to the internet, no firewall (aside from being really dumb) they can connect to you with no problem. If they have a firewall, and it only blocks uninvited incoming connections, they can still connect to you. If it is a serious firewall, one that monitors all outgoing connections as well (incase some slithering virus or spyware, etc. sneaks in and starts sending out information on your crown jewels), then it needs to be taught that that is an ok connection. After that, they will be able to connect.

If your client is running a proxy server, then he needs to know if it is transparent or not. If it is transparent, he needs to do nothing further.

If it is not transparent, he needs to provide for you the IP address and port number of the proxy that is serving you and you need to use those addresses to to the connection.

I hope this helps. If you are more confused or have any questions - just ask them.

MoiyedAuthor Commented:
Thanx to JohnBPrice  & Bill for ur response to sort out the problem.

Actually we r in the testing phase and what we r doing now;
- Starting the chat server based on the dynamic IP (as getting thru IPconfig and it changes for each new internet connection session). The server is running on the comp where we have internet connection. And the client applications are able to connect the server remotely using the same dynamic IP address (where there is no proxy......using DHCP thing).

Please clarify more about these area;
"If your client is running a proxy server, then he needs to know if it is transparent or not. If it is transparent, he needs to do nothing further.

If it is not transparent, he needs to provide for you the IP address and port number of the proxy that is serving you and you need to use those addresses to to the connection. "

Please tell me that how in the proxy environment client app. is going to connect the chat server (after providing the correct dynamic IP and port).
What is needed to be done exactly to send a connection request through Poxy?



It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Programming Languages-Other

From novice to tech pro — start learning today.