VPN VNC and Web Services in router sub-network without Port Forwarding

Dear Experts:

Is there a way to accomplish the following without port forwarding?  Here are details:

Looking for 1) VNC access and 2) access to web services, both hosted on the same PC within subnetworks.

There are several identically configured sub-networks for which this needs to be accomplished.  Each sub-network is in a different location (i.e. time zones apart, different facilities) and behind a different gateway with the only known being that regular outgoing connections (email, Internet) are allowed as per typical PC usage behind the gateways.  Each sub-network is behind its own identical router that I've configured.  This sub-network router is what gets placed in the facility network.

Network setup:

[Remote Admin PC 0 VNC Client and Web Service queries] <=> [Internet Cloud] <=> [Facility 1 Gateway - No Port Forwarding allowed] <=> [My Router 1, Custom Config] <=> [My Sub-Network, including MS IIS running my custom Web Services PC 1]

Can you please clarify or suggest: if using VPN, can these (VNC, Web service query) needs be met without port forwarding?

I've seen references to Hamachi and hardware VPN as well as MS (Microsoft) VPN.  Could you please provide notes about pricing of hardware VPN that might be affordable (under $200) per unit that could make that usable?  Would simply running VPN on the PC 1 via Microsoft be sufficient?

Would VPN be required at the facility level, or could it just be implemented with my sub-network and then my remote admin PC 0?  Perhaps just with required pass-through at the facility level (what would be required)?

If VPN would work, to what would I point my browser if I wanted to pull up the web service within the sub-network from my remote admin PC 0?

Please do not hesitate to post any questions at all if I need to clarify something here.

Thanks very much for your assistance.
Who is Participating?
If you go with that Cradlepoint device double check that it can really do a Site-to-Site VPN before you shell out the money.  I only suggested that one because someone else suggested it for that reason in another post,...but I am not personally familiar with it.  
A Site-to-Site VPN is a specific type of VPN that you need,...there isn't just one kind of VPN.
We have to clarify some terms first so that we know what each other is saying.

It is easy without Port Forwarding since there is no such thing as Port Forwarding.  It is a meaningless "home user" marketing term that "got off its leash".   The real term for the process that is often referred to is Reverse NAT or sometimes called Static NAT.  It is not Forward NAT, not Dynamic NAT (NAT Overload), and not 1-to-1 NAT.

There is no such thing as a "sub network router".  A router is just a router.  The only real distinction is a WAN Router that sits on the terminated end of a WAN Link and a LAN Router that sits between two or more IP Segments on the inside of a LAN.  The "home user" NAT Firewalls are commonly called "routers" on the retail store shelves,...but they are not really routers at all.

Anyway, with the best I understand your environment,...the most direct way to handle this is with a Site-to-Site VPN (not the same as a Remote Access VPN).  This would be performed by either dedicated VPN Appliances at the Network Edge of each physical location,...or be handled by the Firewalls at each Physical location.
arco1918Author Commented:
Thanks for your attention to clarifying terminology.

My goal with the terms here was to distinguish portions of the network for the sake of discussion.  By 'sub-network' I just meant that there will be a network contained within my LAN router that is identical (mostly, as much as possible) - duplicated in various locations inside of the main or some parent router / network segment.  That is, my custom LAN within a larger LAN.  So perhaps let's call my router a LAN router (or NAT firewall) within a facility WAN router, or possibly within another LAN router that is also within a WAN router network, depending on the facility - again unknowns.

"Port forwarding" I use here in the usual conversational sense: meaning: I will not be able to access the WAN Router to set any sort of static relationship between an external port and my LAN router ports.

To clarify, what I can configure is my remote admin PC (PC 0) network and my LAN network somewhere out there in a facility, not the items in between.  Meaning I can't adjust the Firewall at the facility location.

It would be most helpful if you could comment on my specific questions, if you could suggest examples of VPN appliances and whether these could live only within my deployed LAN router, or if it would require facility WAN / LAN router configuration (that is, defining inside or outside of the edges of the network segments).  Hamachi appropriate here?

Thank you.

In the meantime, I'll explore what you mentioned regarding Site-to-Site VPN.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

arco1918Author Commented:
An additional comment: these deployments are not huge commercial networks - rather I'm looking for a low-cost and basic solution - up to this point, using Consumer / Business (the line grays somewhat) NAT / Firewall / Routers with 'Port Forwarding' has worked fine.  However, statically mapping ports to internal IP address(es) will no longer be an option.

I've seen several discussions related to folks access work computers from home and vice-versa, so the context here is similar, perhaps just the next step, such that none of those solutions quite addressed these points here, as far as I could tell.

It would be most helpful if you could comment on my specific questions,
That's what my last pargraph did.  Now I was interpreting what you were asking to mean that you want to connect two business locations together.  If that is true, then the rest of my comments are for that. But if this is a single business location with a handful of users wanting to work from home than I will say a little bit about that at the bottom.
The Site-to-site VPN is my suggestion,...and pretty much the only real and reasonable solution.  There are other types of Application Virtualization solutions with Citrix and MS's UAG that do not use VPNs,..but you would probably spend about as much as it would take to buy a good used car before you were finished.
The most important thing about doing a Site-to-Site VPN is the upload speed of the Internet connection. On asynchonous connections like DSL or Cable TV the upload side is much slower,...and the VPN is always going to sync at and run at somewhat less than the upload speed in both directions.  So performance can be horrible depending on what exactly you try to do with it.  Traffic between an application and its back-end database may do just fine although a little slower,...but opening, copying, moving, saving Files would be horrible.  You may want to combine this all with the desktop virtualization I mention at the bottom to get around the slow speed issues.
Pretty much any Firewall over $500 can do a Site-to-Site VPN.  The prices may have even dropped somewhat lately.  I can't speak for any home-user retail devices,...I won't go near them for any business application.   As far as any dedicated VPN-Only Devices, I have no brand/model to suggest,..never use them,...you may not even be able to buy such a thing any more since pretty much any real firewall will do that same thing which kind of makes them obsolete.
At our place a Site-to-Site VPN is performed by a Cisco ASA5500.  All of our other VPNs (Remote Access VPNs) are done by MS's ISA2006 although it is just as capable as the ASA,...but we own the ISA,...the parent company owns the ASA,... and the Site-to-Site VPN was desired by and put there by the parent company,...so they used their ASA for that.
I've seen several discussions related to folks access work computers from home and vice-versa, so the context here is similar, perhaps just the next step, such that none of those solutions quite addressed these points here, as far as I could tell.
If this project is about a single business location with a few users wanting to work from home then the same VPN Device (Firewall) would work but you would use Remote Access VPN instead of a Site-to-Site VPN.  But the performance is going to be horrible unless there is some kind of virtualization taking place.  On top of that, if they are using their "home" machine, it is not going to be a Domain Member which complicates things excessively. The simplest form of virtualizatrion would be Terminal Services (aka Remote Desktop Services) or VNC as you mentioned.  The user would first connect via VPN then run one of those solutions from there.  We use Terminal Services here.  We also had a few cases where the user ran (remote controlled) their normal "work" Desktop Machine from home by using Remote Desktop.
Terminology corrections,..sorry,....yea I know that is annoying and I usually annoy everyone that I do that to.  But words are important to me and I think it is important that we use correct terminology.  Incorrect terminology,..and worse yet,..."techno-slang" from the home-user retail marketing makes learning difficult for those trying to learn and in some cases just flat misleads them.  Then combine that with the fact that I.T. is world-wide and many many people read these posts who do not speak English as their first language, so it becomes even more difficult for them.  And of course this site keeps a database of all this stuff to be "searchable" for people looking for solutions to their problems that might be reading this 5 years from now.
So, that's I why I try to clarify and use more well defined terminology,.....and I guess some of it I'll blame on my obsessive compulsive disorder  :-)
arco1918Author Commented:
Thanks pwindell.  I appreciate your information here and will review your comments a few more times.  English was not my first language, so I also appreciate your comments about keeping the language clear for that reason.  

The model number and price estimates are helpful for me - I will review these options as well.  

On the topic of communication, I think I need to re-state my main focus here, also because it is relevant to bandwidth, etc. as you had mentioned.  I hope I use the right terms.  If you can suggest that I call something by a different name, I'll use that next time.

I have 4 locations, each about 500 to 1000 miles apart, each at a different facility.  So I'll call each one a facility installation.  Each facility has its own Internet-accessible network, for employees there, etc. Within each facility network, I place my LAN router (business class, according to the manufacturer) along with a few PCs connected to my LAN router network segment.  In the future, there may be 100 such installations at 100 different facilities, or perhaps several within each facility.

One of the PCs inside my LAN router network segment (one at each facility) runs a server including web services.  I'll call this PC 1 if that's ok I hope.

These web services are polled automatically by a server outside the facility network, via the Internet.  Sometimes, just to make a quick adjustment, I need to VNC into the PC 1 (at each facility).  Low bandwidth is ok.  Not heavy remote work, but rather perhaps an adjustment of a parameter.  This remote VNC access would be only for me or a few other people, performed anywhere there is Internet access ideally.  Or perhaps, just from one or two main home or office locations.

Currently, for the system to work, it is required that external ports are statically mapped from the facility WAN router to my LAN router network segment and thus the server PC (PC 1) at each facility, both to access the web service to collect some data (low bandwidth ok, small data volume) and to VNC into the PC 1 if necessary once in a while for a quick change of something.  But it is all light weight and mostly low bandwidth for which notable latency is acceptable.

Because each facility network is configured differently, and their WAN router and administration policies may or may not allow port mapping it would be best if I could find a way to allow my web services to be queried and allow VNC access to my server PC (PC 1 inside my LAN router network segment) without any firewall or WAN router configuration at the facility itself.  I thought perhaps VPN might be a way to do this.  Perhaps a service like Hamachi.  

I looked at running Microsoft PTPP VPN server (New Incoming Connection...) but this also requires port forwarding (or at least this is how they term the port setup in the router / firewall / NAT unit they use for their demonstration setup) in addition to enabling PTPP Pass-through.

I imagine the solution will involve some compromise, including requirements for the facility to accommodate something.

I hope I've used the right terms here and done a better job of describing the desired setup.

Thanks for any suggestions you can provide here.

So does each facility have a single IP segment on their LAN,...and you will be adding a LAN Router to their facility with a "new" IP Segment hanging off of that, thereby creating two IP Segments at each facility with the LAN router in the logical "center" of those two segments?   And this all being distinct and separate from any "Internet Device" that facility might be using?
Then you need to commincate with one of the PCs that you have added to the facilty?
If the answer to all of those is "yes",..it would be a very easy setup.
First the VPN:
Replace the "Internet Device" at each facility with a VPN Capable one that can do a Site-to-Site VPN.  It would be best to consistantly have the same brand & model at each facility.  On on the low end of the price scale is this one for around $350 USD  http://www.cradlepoint.com/products/mbr1200-failsafe-gigabit-n-router-mobile-broadband.  On the upper end of the price scale there is the Cisco ASA and MS's Forfront TMG (both PC or appliance versions).  Also about any high-end commercial Firewall should be able to handle it.  But I think it is important to have the same thing at each facility for consistancy and easier troubleshooting.
The VPN Layout would most likely be a "Hub and Spoke" pattern with the Main Office in the logical center.  But if the VPN/Firewall that you buy cannot "route through" one faciltiy to get to another, then it will have to be Full Mesh or at least a Partial Mesh (depends on what is needed).  That doesn't change the cost, but adds more configuation work.
The layout of the LANs at each facility:
1. All IP Devices except the Internet Firewall will use the LAN Router that you added as their Default Gateway
2. The LAN Router will then use the Internet Firewall as its Default Gateway.
3. The Firewall will continue to use whatever it uses on the External side.  But it will need a Static Route added to it that tells it to use the LAN Router as the "gateway" to get to all the LAN segments within that particular facility
4. The Firewall will need the IP Ranges of all the LAN Segments at that particular facility added to it Local Address Table which will defin them as being part of the Local Network.  I don't know what terminology the Firewall will use for that so you have to figure that one out.
Each facility will look like this if you had 3 IP Segments in the facility.:

arco1918Author Commented:
Thank you pwindell.  I am still studying your post and the diagram.  Very good information.

I have one question most immediately, and probably more to confirm or clarify soon:

When you say "Replace the 'Internet Device' at each facility", do you mean that it would be necessary to replace the main facility Internet device that they use for their network or that I should replace my LAN router with a Site-to-Site-capable VPN router?  For the latter case, replacing my LAN router (installed in the facility network) with a Site-to-Site capable VPN router, would the scenario still work?  Or if you meant the first case, replacing the facility WAN router with a Site-to-Site capable VPN router in addition to using my LAN router for my network devices within the facility network, then this might not work as the facilities will want to retain their existing network configuration with minimal change to accommodate my LAN router network segment.

Regarding your note about my 'LAN router as the logical center' I may perhaps have misinterpreted your terms because I did not understand them fully.  What I mean is that my router that I install in each facility will have behind it or be hosting within its network segment, just the network-enabled devices I need and then one server.  In my mind, I keep visualizing this as placing one more branch of a network within the facility network, the new branch containing a couple of network-enabled devices, including the server.

I understand your comment about the Cradlepoint 1200 as well.

I hope this makes sense - I'll continue to study your post.

Thank you.
Yes, I meant replace their Firewall with a VPN Capable one.  However this is only one possible scenario.   If their existing Firewall is already capable,..and if it will create a proper VPN with the ones at the other locations then you can keep what they have.
I do not call Firewalls "routers" and I do not call Routers "firewalls".  I will call a router a WAN Router or a LAN Router depending on it's role.  With a Router there is no such thing as inside, outside, front or behind.  All sides are equal.
However, some Firewalls can do "double-duty" as a LAN Router and do both jobs at the same time.  It would have three branches comming off it,...their LAN Segment,...the LAN Segment you add,...and the Internet Segment.
But you can also simplify it even futher by just adding your PCs directly into their LAN right with their existing PCs (no new segment, no new anything).  Then if their existing Firewall is cable of making the correct type of VPN to the existing Firewall at the Main Office then you can just do that and not buy any firewalls and not really make any significant changes.   If you want to keep it simple,...this is the simplest.
I think you might be better off going with the most simple method from my last paragraph above.  That will get you working with minimal distruption and changes.   You can always make it more complex later after you have had more time to get more familiar with what you are doing -vs- what you really need.
arco1918Author Commented:
Thank you pwindell.  I'm still evaluating and studying your comments.

Regarding the idea placing my PCs directly into the facilities' LANs: I was trying to isolate my network-enabled devices from the facility network, so that each of my small network segment would have its own custom, static, and uniform (across all facilities) network configuration, hence the deployment of each system with its own router.

I'm trying to understand the correct term for the hardware device I'm using here.  It is called by the manufacturer a router and has a LAN side and WAN side, uses NAT and has firewall capabilities.  It is what I was calling 'my LAN router' but it also serves to isolate my network-enabled devices from the external network.  It can be an Internet device, thus connecting to the Internet at its WAN port, or it can be placed within another LAN, so I'm not sure quite the correct terminology.  I imagine it lies somewhere along the spectrum of commercial / business to consumer home-use.  Can you please suggest the term you'd prefer for that device?

As far as replacing the facility Internet Device, this really may not be a viable solution, however if it the only solution, I will want to consider it as well.

Thanks again.  I'll continue to study your comments here.
Regarding the idea placing my PCs directly into the facilities' LANs: I was trying to isolate my network-enabled devices from the facility network, so that each of my small network segment would have its own custom, static, and uniform (across all facilities) network configuration, hence the deployment of each system with its own router.
I don't see the point in that.    Also if they cannot interact with the LAN at the facility then what good is it having them there?
I'm trying to understand the correct term for the hardware device I'm using here.  It is called by the manufacturer a router and has a LAN side and WAN side, uses NAT and has firewall capabilities.  
It is a Firewall,.....a NAT-based Firewall.  Yes the common "lingo" in the home-user retail world is to call them "routers",...but they are not real routers.   These things have made a mess of the IT industry as far as the meaning of words,...they've butchered the dictionary,....nothing I can do about that.
What country are you located in?
arco1918Author Commented:
Thanks pwindell for your attention to my last comment.  On the first note there we've had a slight mis-communication.  But everything else looks reasonable.  The solution will probably looking something like what you have proposed, so I will close this question and award you the points.

Thanks again for your good help.  Best Wishes.
Very good sir.
Good luck with the project.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.