Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 418
  • Last Modified:

Win2k Secure TCP/IP

I have a couple of win2k machines that are on separate networks and separate domains.  I need a persistent and secure TCP/IP tunnel between the two.

What is the quickest, cheapest, and most reliable way to get that going.

I can not use hardware based VPN since one of the servers is not owned by us and can we can not place additional hardware there.

The connection needs to be established at boot up and needs to stay connected so that our TCP/IP application can communicate securely.

Our app is a simple socket to socket TCP/IP over a single port that is persistent.

thanks.




0
wskorski
Asked:
wskorski
  • 2
2 Solutions
 
Bill BachPresidentCommented:
Quick, Cheap, and Reliable: Pick any two!

A few possibilities to consider:
1) You mention that hardware VPN is not possible, as one server is not under your control from the network perspective.  However, what about a software VPN (installed on the remote server) connecting back to your own hardware-based firewall?  I am thinking that a SonicWall Firewall/VPN solution (e.g. TZ190 on the small end, or any of the larger units) would provide high-speed VPN capabilities, and would be able to work with a small VPN client on the server that you cannot access for hardware.  (This assumes that you can install software there, of course.) (Quick and Reliable)

2) It sounds like the app is your own application.  Why not encrypt the data at the app level, and allow the system to use normal unencrypted TCP connections for data transfer?  This might be a bit slower and add some CPU overhead, but you can use an open-source encryption module (e.g. Blowfish) to implement the encryption (or just do some simple data mangling, even).  (Quick and Cheap)

3) Using a repeater might be a viable option, if you don't want to mess with any of this.  The PC-HelpWare tool (a free component similar to VNC) has a "repeater" component which provides source code as well.  It would be possible to implement the repeater on a public server (owned by you, of course), and then have the remote server connect to the repeater, and your own system connect to the repeater on the other end, and it can funnel traffic through to you.  As PCHelpware is also open source, you'll have the source code to build your own, using whatever posts and security you want to.  (Cheap and Reliable)

0
 
PWeerakoonCommented:
Hi,
You can use IPSec Transport mode to establish an encrypted connection between the two servers.

IPSec software in built into Windows 2000 and above.

Here's a configuration guide...
http://technet.microsoft.com/en-us/library/bb742429.aspx

You can use a pre-shared key to establish the connection because the remote server is not under your control for AD integrated Kerberos and I assume you don't have certificates.

Basically, the idea is to setup a IPSec policy that would encrypt IP packets going from your server IP address to the remote server IP address. The IPSec policy engine loads at boot-time and sits above the network layer, so anything that is sent from the operating system to the network is inspected and encrypted if it matched the policy.

The downside is the encryption is done by the server cpu unlike a dedicated VPN hardware device. However, you can get a Network card that has an 'IPSEC offload' chip so that the processing is done on the NIC (if performance is a problem).

Also, starting with Windows XP SP2 and I believe Server 2003 SP2, you have to manually configure a registry key to get IPSEC to work over a NAT. Research IPsec NAT-t for this.


0
 
wskorskiAuthor Commented:
Thanks BillBach :
1) Sorry I forgot to mention.  My server is already running a Cisco VPN client on it, and you can't have to soft VPN clients running on the same server, as far as I know.

2) Our TCP listener is our own, by the remote TCP sender is not.

3) PCHelpware?  WHere does the encryption take place?
0
 
wskorskiAuthor Commented:
Ok, IPSec was easy enough to set up except IPSec does not play well with NAT.  It even does worse if you have NAT on both ends.

I ended up using Zebedee to create a VPN Tunnel.    It's free and works very well.

thanks
Wes
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now