Win2k Secure TCP/IP

Posted on 2009-07-01
Last Modified: 2012-05-07
I have a couple of win2k machines that are on separate networks and separate domains.  I need a persistent and secure TCP/IP tunnel between the two.

What is the quickest, cheapest, and most reliable way to get that going.

I can not use hardware based VPN since one of the servers is not owned by us and can we can not place additional hardware there.

The connection needs to be established at boot up and needs to stay connected so that our TCP/IP application can communicate securely.

Our app is a simple socket to socket TCP/IP over a single port that is persistent.


Question by:wskorski
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 28

Accepted Solution

Bill Bach earned 250 total points
ID: 24759251
Quick, Cheap, and Reliable: Pick any two!

A few possibilities to consider:
1) You mention that hardware VPN is not possible, as one server is not under your control from the network perspective.  However, what about a software VPN (installed on the remote server) connecting back to your own hardware-based firewall?  I am thinking that a SonicWall Firewall/VPN solution (e.g. TZ190 on the small end, or any of the larger units) would provide high-speed VPN capabilities, and would be able to work with a small VPN client on the server that you cannot access for hardware.  (This assumes that you can install software there, of course.) (Quick and Reliable)

2) It sounds like the app is your own application.  Why not encrypt the data at the app level, and allow the system to use normal unencrypted TCP connections for data transfer?  This might be a bit slower and add some CPU overhead, but you can use an open-source encryption module (e.g. Blowfish) to implement the encryption (or just do some simple data mangling, even).  (Quick and Cheap)

3) Using a repeater might be a viable option, if you don't want to mess with any of this.  The PC-HelpWare tool (a free component similar to VNC) has a "repeater" component which provides source code as well.  It would be possible to implement the repeater on a public server (owned by you, of course), and then have the remote server connect to the repeater, and your own system connect to the repeater on the other end, and it can funnel traffic through to you.  As PCHelpware is also open source, you'll have the source code to build your own, using whatever posts and security you want to.  (Cheap and Reliable)


Assisted Solution

PWeerakoon earned 250 total points
ID: 24759442
You can use IPSec Transport mode to establish an encrypted connection between the two servers.

IPSec software in built into Windows 2000 and above.

Here's a configuration guide...

You can use a pre-shared key to establish the connection because the remote server is not under your control for AD integrated Kerberos and I assume you don't have certificates.

Basically, the idea is to setup a IPSec policy that would encrypt IP packets going from your server IP address to the remote server IP address. The IPSec policy engine loads at boot-time and sits above the network layer, so anything that is sent from the operating system to the network is inspected and encrypted if it matched the policy.

The downside is the encryption is done by the server cpu unlike a dedicated VPN hardware device. However, you can get a Network card that has an 'IPSEC offload' chip so that the processing is done on the NIC (if performance is a problem).

Also, starting with Windows XP SP2 and I believe Server 2003 SP2, you have to manually configure a registry key to get IPSEC to work over a NAT. Research IPsec NAT-t for this.


Author Comment

ID: 24759607
Thanks BillBach :
1) Sorry I forgot to mention.  My server is already running a Cisco VPN client on it, and you can't have to soft VPN clients running on the same server, as far as I know.

2) Our TCP listener is our own, by the remote TCP sender is not.

3) PCHelpware?  WHere does the encryption take place?

Author Comment

ID: 24806265
Ok, IPSec was easy enough to set up except IPSec does not play well with NAT.  It even does worse if you have NAT on both ends.

I ended up using Zebedee to create a VPN Tunnel.    It's free and works very well.


Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question