arco1918
asked on
VPN VNC and Web Services in router sub-network without Port Forwarding
Dear Experts:
Is there a way to accomplish the following without port forwarding? Here are details:
Looking for 1) VNC access and 2) access to web services, both hosted on the same PC within subnetworks.
There are several identically configured sub-networks for which this needs to be accomplished. Each sub-network is in a different location (i.e. time zones apart, different facilities) and behind a different gateway with the only known being that regular outgoing connections (email, Internet) are allowed as per typical PC usage behind the gateways. Each sub-network is behind its own identical router that I've configured. This sub-network router is what gets placed in the facility network.
Network setup:
[Remote Admin PC 0 VNC Client and Web Service queries] <=> [Internet Cloud] <=> [Facility 1 Gateway - No Port Forwarding allowed] <=> [My Router 1, Custom Config] <=> [My Sub-Network, including MS IIS running my custom Web Services PC 1]
Can you please clarify or suggest: if using VPN, can these (VNC, Web service query) needs be met without port forwarding?
I've seen references to Hamachi and hardware VPN as well as MS (Microsoft) VPN. Could you please provide notes about pricing of hardware VPN that might be affordable (under $200) per unit that could make that usable? Would simply running VPN on the PC 1 via Microsoft be sufficient?
Would VPN be required at the facility level, or could it just be implemented with my sub-network and then my remote admin PC 0? Perhaps just with required pass-through at the facility level (what would be required)?
If VPN would work, to what would I point my browser if I wanted to pull up the web service within the sub-network from my remote admin PC 0?
Please do not hesitate to post any questions at all if I need to clarify something here.
Thanks very much for your assistance.
Is there a way to accomplish the following without port forwarding? Here are details:
Looking for 1) VNC access and 2) access to web services, both hosted on the same PC within subnetworks.
There are several identically configured sub-networks for which this needs to be accomplished. Each sub-network is in a different location (i.e. time zones apart, different facilities) and behind a different gateway with the only known being that regular outgoing connections (email, Internet) are allowed as per typical PC usage behind the gateways. Each sub-network is behind its own identical router that I've configured. This sub-network router is what gets placed in the facility network.
Network setup:
[Remote Admin PC 0 VNC Client and Web Service queries] <=> [Internet Cloud] <=> [Facility 1 Gateway - No Port Forwarding allowed] <=> [My Router 1, Custom Config] <=> [My Sub-Network, including MS IIS running my custom Web Services PC 1]
Can you please clarify or suggest: if using VPN, can these (VNC, Web service query) needs be met without port forwarding?
I've seen references to Hamachi and hardware VPN as well as MS (Microsoft) VPN. Could you please provide notes about pricing of hardware VPN that might be affordable (under $200) per unit that could make that usable? Would simply running VPN on the PC 1 via Microsoft be sufficient?
Would VPN be required at the facility level, or could it just be implemented with my sub-network and then my remote admin PC 0? Perhaps just with required pass-through at the facility level (what would be required)?
If VPN would work, to what would I point my browser if I wanted to pull up the web service within the sub-network from my remote admin PC 0?
Please do not hesitate to post any questions at all if I need to clarify something here.
Thanks very much for your assistance.
ASKER
Thanks for your attention to clarifying terminology.
My goal with the terms here was to distinguish portions of the network for the sake of discussion. By 'sub-network' I just meant that there will be a network contained within my LAN router that is identical (mostly, as much as possible) - duplicated in various locations inside of the main or some parent router / network segment. That is, my custom LAN within a larger LAN. So perhaps let's call my router a LAN router (or NAT firewall) within a facility WAN router, or possibly within another LAN router that is also within a WAN router network, depending on the facility - again unknowns.
"Port forwarding" I use here in the usual conversational sense: meaning: I will not be able to access the WAN Router to set any sort of static relationship between an external port and my LAN router ports.
To clarify, what I can configure is my remote admin PC (PC 0) network and my LAN network somewhere out there in a facility, not the items in between. Meaning I can't adjust the Firewall at the facility location.
It would be most helpful if you could comment on my specific questions, if you could suggest examples of VPN appliances and whether these could live only within my deployed LAN router, or if it would require facility WAN / LAN router configuration (that is, defining inside or outside of the edges of the network segments). Hamachi appropriate here?
Thank you.
In the meantime, I'll explore what you mentioned regarding Site-to-Site VPN.
My goal with the terms here was to distinguish portions of the network for the sake of discussion. By 'sub-network' I just meant that there will be a network contained within my LAN router that is identical (mostly, as much as possible) - duplicated in various locations inside of the main or some parent router / network segment. That is, my custom LAN within a larger LAN. So perhaps let's call my router a LAN router (or NAT firewall) within a facility WAN router, or possibly within another LAN router that is also within a WAN router network, depending on the facility - again unknowns.
"Port forwarding" I use here in the usual conversational sense: meaning: I will not be able to access the WAN Router to set any sort of static relationship between an external port and my LAN router ports.
To clarify, what I can configure is my remote admin PC (PC 0) network and my LAN network somewhere out there in a facility, not the items in between. Meaning I can't adjust the Firewall at the facility location.
It would be most helpful if you could comment on my specific questions, if you could suggest examples of VPN appliances and whether these could live only within my deployed LAN router, or if it would require facility WAN / LAN router configuration (that is, defining inside or outside of the edges of the network segments). Hamachi appropriate here?
Thank you.
In the meantime, I'll explore what you mentioned regarding Site-to-Site VPN.
ASKER
An additional comment: these deployments are not huge commercial networks - rather I'm looking for a low-cost and basic solution - up to this point, using Consumer / Business (the line grays somewhat) NAT / Firewall / Routers with 'Port Forwarding' has worked fine. However, statically mapping ports to internal IP address(es) will no longer be an option.
I've seen several discussions related to folks access work computers from home and vice-versa, so the context here is similar, perhaps just the next step, such that none of those solutions quite addressed these points here, as far as I could tell.
Thanks.
I've seen several discussions related to folks access work computers from home and vice-versa, so the context here is similar, perhaps just the next step, such that none of those solutions quite addressed these points here, as far as I could tell.
Thanks.
It would be most helpful if you could comment on my specific questions,
That's what my last pargraph did. Now I was interpreting what you were asking to mean that you want to connect two business locations together. If that is true, then the rest of my comments are for that. But if this is a single business location with a handful of users wanting to work from home than I will say a little bit about that at the bottom.
The Site-to-site VPN is my suggestion,...and pretty much the only real and reasonable solution. There are other types of Application Virtualization solutions with Citrix and MS's UAG that do not use VPNs,..but you would probably spend about as much as it would take to buy a good used car before you were finished.
The most important thing about doing a Site-to-Site VPN is the upload speed of the Internet connection. On asynchonous connections like DSL or Cable TV the upload side is much slower,...and the VPN is always going to sync at and run at somewhat less than the upload speed in both directions. So performance can be horrible depending on what exactly you try to do with it. Traffic between an application and its back-end database may do just fine although a little slower,...but opening, copying, moving, saving Files would be horrible. You may want to combine this all with the desktop virtualization I mention at the bottom to get around the slow speed issues.
Pretty much any Firewall over $500 can do a Site-to-Site VPN. The prices may have even dropped somewhat lately. I can't speak for any home-user retail devices,...I won't go near them for any business application. As far as any dedicated VPN-Only Devices, I have no brand/model to suggest,..never use them,...you may not even be able to buy such a thing any more since pretty much any real firewall will do that same thing which kind of makes them obsolete.
At our place a Site-to-Site VPN is performed by a Cisco ASA5500. All of our other VPNs (Remote Access VPNs) are done by MS's ISA2006 although it is just as capable as the ASA,...but we own the ISA,...the parent company owns the ASA,... and the Site-to-Site VPN was desired by and put there by the parent company,...so they used their ASA for that.
I've seen several discussions related to folks access work computers from home and vice-versa, so the context here is similar, perhaps just the next step, such that none of those solutions quite addressed these points here, as far as I could tell.
If this project is about a single business location with a few users wanting to work from home then the same VPN Device (Firewall) would work but you would use Remote Access VPN instead of a Site-to-Site VPN. But the performance is going to be horrible unless there is some kind of virtualization taking place. On top of that, if they are using their "home" machine, it is not going to be a Domain Member which complicates things excessively. The simplest form of virtualizatrion would be Terminal Services (aka Remote Desktop Services) or VNC as you mentioned. The user would first connect via VPN then run one of those solutions from there. We use Terminal Services here. We also had a few cases where the user ran (remote controlled) their normal "work" Desktop Machine from home by using Remote Desktop.
That's what my last pargraph did. Now I was interpreting what you were asking to mean that you want to connect two business locations together. If that is true, then the rest of my comments are for that. But if this is a single business location with a handful of users wanting to work from home than I will say a little bit about that at the bottom.
The Site-to-site VPN is my suggestion,...and pretty much the only real and reasonable solution. There are other types of Application Virtualization solutions with Citrix and MS's UAG that do not use VPNs,..but you would probably spend about as much as it would take to buy a good used car before you were finished.
The most important thing about doing a Site-to-Site VPN is the upload speed of the Internet connection. On asynchonous connections like DSL or Cable TV the upload side is much slower,...and the VPN is always going to sync at and run at somewhat less than the upload speed in both directions. So performance can be horrible depending on what exactly you try to do with it. Traffic between an application and its back-end database may do just fine although a little slower,...but opening, copying, moving, saving Files would be horrible. You may want to combine this all with the desktop virtualization I mention at the bottom to get around the slow speed issues.
Pretty much any Firewall over $500 can do a Site-to-Site VPN. The prices may have even dropped somewhat lately. I can't speak for any home-user retail devices,...I won't go near them for any business application. As far as any dedicated VPN-Only Devices, I have no brand/model to suggest,..never use them,...you may not even be able to buy such a thing any more since pretty much any real firewall will do that same thing which kind of makes them obsolete.
At our place a Site-to-Site VPN is performed by a Cisco ASA5500. All of our other VPNs (Remote Access VPNs) are done by MS's ISA2006 although it is just as capable as the ASA,...but we own the ISA,...the parent company owns the ASA,... and the Site-to-Site VPN was desired by and put there by the parent company,...so they used their ASA for that.
I've seen several discussions related to folks access work computers from home and vice-versa, so the context here is similar, perhaps just the next step, such that none of those solutions quite addressed these points here, as far as I could tell.
If this project is about a single business location with a few users wanting to work from home then the same VPN Device (Firewall) would work but you would use Remote Access VPN instead of a Site-to-Site VPN. But the performance is going to be horrible unless there is some kind of virtualization taking place. On top of that, if they are using their "home" machine, it is not going to be a Domain Member which complicates things excessively. The simplest form of virtualizatrion would be Terminal Services (aka Remote Desktop Services) or VNC as you mentioned. The user would first connect via VPN then run one of those solutions from there. We use Terminal Services here. We also had a few cases where the user ran (remote controlled) their normal "work" Desktop Machine from home by using Remote Desktop.
Terminology corrections,..sorry,....ye
So, that's I why I try to clarify and use more well defined terminology,.....and I guess some of it I'll blame on my obsessive compulsive disorder :-)
So, that's I why I try to clarify and use more well defined terminology,.....and I guess some of it I'll blame on my obsessive compulsive disorder :-)
ASKER
Thanks pwindell. I appreciate your information here and will review your comments a few more times. English was not my first language, so I also appreciate your comments about keeping the language clear for that reason.
The model number and price estimates are helpful for me - I will review these options as well.
On the topic of communication, I think I need to re-state my main focus here, also because it is relevant to bandwidth, etc. as you had mentioned. I hope I use the right terms. If you can suggest that I call something by a different name, I'll use that next time.
I have 4 locations, each about 500 to 1000 miles apart, each at a different facility. So I'll call each one a facility installation. Each facility has its own Internet-accessible network, for employees there, etc. Within each facility network, I place my LAN router (business class, according to the manufacturer) along with a few PCs connected to my LAN router network segment. In the future, there may be 100 such installations at 100 different facilities, or perhaps several within each facility.
One of the PCs inside my LAN router network segment (one at each facility) runs a server including web services. I'll call this PC 1 if that's ok I hope.
These web services are polled automatically by a server outside the facility network, via the Internet. Sometimes, just to make a quick adjustment, I need to VNC into the PC 1 (at each facility). Low bandwidth is ok. Not heavy remote work, but rather perhaps an adjustment of a parameter. This remote VNC access would be only for me or a few other people, performed anywhere there is Internet access ideally. Or perhaps, just from one or two main home or office locations.
Currently, for the system to work, it is required that external ports are statically mapped from the facility WAN router to my LAN router network segment and thus the server PC (PC 1) at each facility, both to access the web service to collect some data (low bandwidth ok, small data volume) and to VNC into the PC 1 if necessary once in a while for a quick change of something. But it is all light weight and mostly low bandwidth for which notable latency is acceptable.
Because each facility network is configured differently, and their WAN router and administration policies may or may not allow port mapping it would be best if I could find a way to allow my web services to be queried and allow VNC access to my server PC (PC 1 inside my LAN router network segment) without any firewall or WAN router configuration at the facility itself. I thought perhaps VPN might be a way to do this. Perhaps a service like Hamachi.
I looked at running Microsoft PTPP VPN server (New Incoming Connection...) but this also requires port forwarding (or at least this is how they term the port setup in the router / firewall / NAT unit they use for their demonstration setup) in addition to enabling PTPP Pass-through.
I imagine the solution will involve some compromise, including requirements for the facility to accommodate something.
I hope I've used the right terms here and done a better job of describing the desired setup.
Thanks for any suggestions you can provide here.
The model number and price estimates are helpful for me - I will review these options as well.
On the topic of communication, I think I need to re-state my main focus here, also because it is relevant to bandwidth, etc. as you had mentioned. I hope I use the right terms. If you can suggest that I call something by a different name, I'll use that next time.
I have 4 locations, each about 500 to 1000 miles apart, each at a different facility. So I'll call each one a facility installation. Each facility has its own Internet-accessible network, for employees there, etc. Within each facility network, I place my LAN router (business class, according to the manufacturer) along with a few PCs connected to my LAN router network segment. In the future, there may be 100 such installations at 100 different facilities, or perhaps several within each facility.
One of the PCs inside my LAN router network segment (one at each facility) runs a server including web services. I'll call this PC 1 if that's ok I hope.
These web services are polled automatically by a server outside the facility network, via the Internet. Sometimes, just to make a quick adjustment, I need to VNC into the PC 1 (at each facility). Low bandwidth is ok. Not heavy remote work, but rather perhaps an adjustment of a parameter. This remote VNC access would be only for me or a few other people, performed anywhere there is Internet access ideally. Or perhaps, just from one or two main home or office locations.
Currently, for the system to work, it is required that external ports are statically mapped from the facility WAN router to my LAN router network segment and thus the server PC (PC 1) at each facility, both to access the web service to collect some data (low bandwidth ok, small data volume) and to VNC into the PC 1 if necessary once in a while for a quick change of something. But it is all light weight and mostly low bandwidth for which notable latency is acceptable.
Because each facility network is configured differently, and their WAN router and administration policies may or may not allow port mapping it would be best if I could find a way to allow my web services to be queried and allow VNC access to my server PC (PC 1 inside my LAN router network segment) without any firewall or WAN router configuration at the facility itself. I thought perhaps VPN might be a way to do this. Perhaps a service like Hamachi.
I looked at running Microsoft PTPP VPN server (New Incoming Connection...) but this also requires port forwarding (or at least this is how they term the port setup in the router / firewall / NAT unit they use for their demonstration setup) in addition to enabling PTPP Pass-through.
I imagine the solution will involve some compromise, including requirements for the facility to accommodate something.
I hope I've used the right terms here and done a better job of describing the desired setup.
Thanks for any suggestions you can provide here.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you pwindell. I am still studying your post and the diagram. Very good information.
I have one question most immediately, and probably more to confirm or clarify soon:
When you say "Replace the 'Internet Device' at each facility", do you mean that it would be necessary to replace the main facility Internet device that they use for their network or that I should replace my LAN router with a Site-to-Site-capable VPN router? For the latter case, replacing my LAN router (installed in the facility network) with a Site-to-Site capable VPN router, would the scenario still work? Or if you meant the first case, replacing the facility WAN router with a Site-to-Site capable VPN router in addition to using my LAN router for my network devices within the facility network, then this might not work as the facilities will want to retain their existing network configuration with minimal change to accommodate my LAN router network segment.
Regarding your note about my 'LAN router as the logical center' I may perhaps have misinterpreted your terms because I did not understand them fully. What I mean is that my router that I install in each facility will have behind it or be hosting within its network segment, just the network-enabled devices I need and then one server. In my mind, I keep visualizing this as placing one more branch of a network within the facility network, the new branch containing a couple of network-enabled devices, including the server.
I understand your comment about the Cradlepoint 1200 as well.
I hope this makes sense - I'll continue to study your post.
Thank you.
I have one question most immediately, and probably more to confirm or clarify soon:
When you say "Replace the 'Internet Device' at each facility", do you mean that it would be necessary to replace the main facility Internet device that they use for their network or that I should replace my LAN router with a Site-to-Site-capable VPN router? For the latter case, replacing my LAN router (installed in the facility network) with a Site-to-Site capable VPN router, would the scenario still work? Or if you meant the first case, replacing the facility WAN router with a Site-to-Site capable VPN router in addition to using my LAN router for my network devices within the facility network, then this might not work as the facilities will want to retain their existing network configuration with minimal change to accommodate my LAN router network segment.
Regarding your note about my 'LAN router as the logical center' I may perhaps have misinterpreted your terms because I did not understand them fully. What I mean is that my router that I install in each facility will have behind it or be hosting within its network segment, just the network-enabled devices I need and then one server. In my mind, I keep visualizing this as placing one more branch of a network within the facility network, the new branch containing a couple of network-enabled devices, including the server.
I understand your comment about the Cradlepoint 1200 as well.
I hope this makes sense - I'll continue to study your post.
Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think you might be better off going with the most simple method from my last paragraph above. That will get you working with minimal distruption and changes. You can always make it more complex later after you have had more time to get more familiar with what you are doing -vs- what you really need.
ASKER
Thank you pwindell. I'm still evaluating and studying your comments.
Regarding the idea placing my PCs directly into the facilities' LANs: I was trying to isolate my network-enabled devices from the facility network, so that each of my small network segment would have its own custom, static, and uniform (across all facilities) network configuration, hence the deployment of each system with its own router.
I'm trying to understand the correct term for the hardware device I'm using here. It is called by the manufacturer a router and has a LAN side and WAN side, uses NAT and has firewall capabilities. It is what I was calling 'my LAN router' but it also serves to isolate my network-enabled devices from the external network. It can be an Internet device, thus connecting to the Internet at its WAN port, or it can be placed within another LAN, so I'm not sure quite the correct terminology. I imagine it lies somewhere along the spectrum of commercial / business to consumer home-use. Can you please suggest the term you'd prefer for that device?
As far as replacing the facility Internet Device, this really may not be a viable solution, however if it the only solution, I will want to consider it as well.
Thanks again. I'll continue to study your comments here.
Regarding the idea placing my PCs directly into the facilities' LANs: I was trying to isolate my network-enabled devices from the facility network, so that each of my small network segment would have its own custom, static, and uniform (across all facilities) network configuration, hence the deployment of each system with its own router.
I'm trying to understand the correct term for the hardware device I'm using here. It is called by the manufacturer a router and has a LAN side and WAN side, uses NAT and has firewall capabilities. It is what I was calling 'my LAN router' but it also serves to isolate my network-enabled devices from the external network. It can be an Internet device, thus connecting to the Internet at its WAN port, or it can be placed within another LAN, so I'm not sure quite the correct terminology. I imagine it lies somewhere along the spectrum of commercial / business to consumer home-use. Can you please suggest the term you'd prefer for that device?
As far as replacing the facility Internet Device, this really may not be a viable solution, however if it the only solution, I will want to consider it as well.
Thanks again. I'll continue to study your comments here.
Regarding the idea placing my PCs directly into the facilities' LANs: I was trying to isolate my network-enabled devices from the facility network, so that each of my small network segment would have its own custom, static, and uniform (across all facilities) network configuration, hence the deployment of each system with its own router.
I don't see the point in that. Also if they cannot interact with the LAN at the facility then what good is it having them there?
I'm trying to understand the correct term for the hardware device I'm using here. It is called by the manufacturer a router and has a LAN side and WAN side, uses NAT and has firewall capabilities.
It is a Firewall,.....a NAT-based Firewall. Yes the common "lingo" in the home-user retail world is to call them "routers",...but they are not real routers. These things have made a mess of the IT industry as far as the meaning of words,...they've butchered the dictionary,....nothing I can do about that.
What country are you located in?
I don't see the point in that. Also if they cannot interact with the LAN at the facility then what good is it having them there?
I'm trying to understand the correct term for the hardware device I'm using here. It is called by the manufacturer a router and has a LAN side and WAN side, uses NAT and has firewall capabilities.
It is a Firewall,.....a NAT-based Firewall. Yes the common "lingo" in the home-user retail world is to call them "routers",...but they are not real routers. These things have made a mess of the IT industry as far as the meaning of words,...they've butchered the dictionary,....nothing I can do about that.
What country are you located in?
ASKER
Thanks pwindell for your attention to my last comment. On the first note there we've had a slight mis-communication. But everything else looks reasonable. The solution will probably looking something like what you have proposed, so I will close this question and award you the points.
Thanks again for your good help. Best Wishes.
Thanks again for your good help. Best Wishes.
Very good sir.
Good luck with the project.
Good luck with the project.
It is easy without Port Forwarding since there is no such thing as Port Forwarding. It is a meaningless "home user" marketing term that "got off its leash". The real term for the process that is often referred to is Reverse NAT or sometimes called Static NAT. It is not Forward NAT, not Dynamic NAT (NAT Overload), and not 1-to-1 NAT.
There is no such thing as a "sub network router". A router is just a router. The only real distinction is a WAN Router that sits on the terminated end of a WAN Link and a LAN Router that sits between two or more IP Segments on the inside of a LAN. The "home user" NAT Firewalls are commonly called "routers" on the retail store shelves,...but they are not really routers at all.
Anyway, with the best I understand your environment,...the most direct way to handle this is with a Site-to-Site VPN (not the same as a Remote Access VPN). This would be performed by either dedicated VPN Appliances at the Network Edge of each physical location,...or be handled by the Firewalls at each Physical location.