Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Win2k Secure TCP/IP

Posted on 2009-07-01
Medium Priority
Last Modified: 2012-05-07
I have a couple of win2k machines that are on separate networks and separate domains.  I need a persistent and secure TCP/IP tunnel between the two.

What is the quickest, cheapest, and most reliable way to get that going.

I can not use hardware based VPN since one of the servers is not owned by us and can we can not place additional hardware there.

The connection needs to be established at boot up and needs to stay connected so that our TCP/IP application can communicate securely.

Our app is a simple socket to socket TCP/IP over a single port that is persistent.


Question by:wskorski
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 28

Accepted Solution

Bill Bach earned 1000 total points
ID: 24759251
Quick, Cheap, and Reliable: Pick any two!

A few possibilities to consider:
1) You mention that hardware VPN is not possible, as one server is not under your control from the network perspective.  However, what about a software VPN (installed on the remote server) connecting back to your own hardware-based firewall?  I am thinking that a SonicWall Firewall/VPN solution (e.g. TZ190 on the small end, or any of the larger units) would provide high-speed VPN capabilities, and would be able to work with a small VPN client on the server that you cannot access for hardware.  (This assumes that you can install software there, of course.) (Quick and Reliable)

2) It sounds like the app is your own application.  Why not encrypt the data at the app level, and allow the system to use normal unencrypted TCP connections for data transfer?  This might be a bit slower and add some CPU overhead, but you can use an open-source encryption module (e.g. Blowfish) to implement the encryption (or just do some simple data mangling, even).  (Quick and Cheap)

3) Using a repeater might be a viable option, if you don't want to mess with any of this.  The PC-HelpWare tool (a free component similar to VNC) has a "repeater" component which provides source code as well.  It would be possible to implement the repeater on a public server (owned by you, of course), and then have the remote server connect to the repeater, and your own system connect to the repeater on the other end, and it can funnel traffic through to you.  As PCHelpware is also open source, you'll have the source code to build your own, using whatever posts and security you want to.  (Cheap and Reliable)


Assisted Solution

PWeerakoon earned 1000 total points
ID: 24759442
You can use IPSec Transport mode to establish an encrypted connection between the two servers.

IPSec software in built into Windows 2000 and above.

Here's a configuration guide...

You can use a pre-shared key to establish the connection because the remote server is not under your control for AD integrated Kerberos and I assume you don't have certificates.

Basically, the idea is to setup a IPSec policy that would encrypt IP packets going from your server IP address to the remote server IP address. The IPSec policy engine loads at boot-time and sits above the network layer, so anything that is sent from the operating system to the network is inspected and encrypted if it matched the policy.

The downside is the encryption is done by the server cpu unlike a dedicated VPN hardware device. However, you can get a Network card that has an 'IPSEC offload' chip so that the processing is done on the NIC (if performance is a problem).

Also, starting with Windows XP SP2 and I believe Server 2003 SP2, you have to manually configure a registry key to get IPSEC to work over a NAT. Research IPsec NAT-t for this.


Author Comment

ID: 24759607
Thanks BillBach :
1) Sorry I forgot to mention.  My server is already running a Cisco VPN client on it, and you can't have to soft VPN clients running on the same server, as far as I know.

2) Our TCP listener is our own, by the remote TCP sender is not.

3) PCHelpware?  WHere does the encryption take place?

Author Comment

ID: 24806265
Ok, IPSec was easy enough to set up except IPSec does not play well with NAT.  It even does worse if you have NAT on both ends.

I ended up using Zebedee to create a VPN Tunnel.    It's free and works very well.


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I know for anybody starting from Beginner to Expert in Networking knows what OSI model. But this tutorial is for freshers or those who are new to networking world. Why I am putting OSI in such simple and compact manner is because it enables you to k…
Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question