Solved

LAN or WAN ?

Posted on 2016-10-12
11
63 Views
Last Modified: 2016-11-08
My Backup Application (using Sockets) has a Server.exe (on one machine) and Client.exe (on each desktop).
Currently all the Client.exe are meant to be within the LAN of the Server.exe.
Now I want to permit users to work across the WAN too.
I want to recognize the users connecting via WAN how do I check that ?
Can I understand from within the Sockets details or will I have to use Geolocation ?
I use Delphi / Windows OS/ TServerSocket+TClientSocket
0
Comment
Question by:Allan_Fernandes
  • 5
  • 4
  • 2
11 Comments
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41840117
you probably should combine techniques among
- filtering by ip if you know your client's addresses. this is availablle in the socket's meta data
- i assume you already use passwords ?
- SSL authentication with client certificates

or you can take a different approach and setup a vpn orn ssh tunnels for your clients. if you have a commercial firewall, it probably comes with a VPN
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 41840672
the most important thing is overcoming connection loss
another issue is the speed

are meant to be within the LAN of the Server.exe.
> how can you be sure there is no WAN connections now ?

with a vpn in between it's possible the ip address looks like it's in the lan
0
 

Author Comment

by:Allan_Fernandes
ID: 41846591
Hi
Sorry for the Delay in responding.
>> filtering by ip if you know your client's addresses
My Application is being currently used on MPLS (LAN as far as I am concerned) and here the IP's across the country do not have any format that I can filter them on.

>> - i assume you already use passwords ?- SSL authentication with client certificates
No. I am transferring via WinSoc and I use an Identity pattern to avoid any external intrusion.

>> the most important thing is overcoming connection loss another issue is the speed
Very valid point and I have to check it out practically, but since the backups are incremental (even PST) it should not be much of an issue.

>> how can you be sure there is no WAN connections now ?
Currently I am using a separate Server/Client Socket pair to send files from the Server machine to the Clients. This fails as it is not to the Public IP of the clients.
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 41846627
backups incremental ? not an issue ?

if you have connection loss, then you need to "redo" the failed part
how the redo is done depends on what the failed part is ...

a really easy way ...
robocopy source dest backupfiles /Z

robocopy has a builtin retry mechanism
even across the wan

why reinvent the wheel ?

but i assume you want more control than that
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41846842
given this extra information, i'd go the VPN way

if your server has to connect back to the client, you are bound to run into firewall issues on the client side so you'd have many things to change to get it to work over the WAN... or rewrite your app accordingly if for some reason setting up a VPN is not feasible for you
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Allan_Fernandes
ID: 41857315
I think we have moved away from the question I seek. As far as Connectivity etc is concerned I will check that out and maybe come to you'll later. Now I want to know if there is any pattern of Public addresses allocated as per Geo location ?
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41857346
Now I want to know if there is any pattern of Public addresses allocated as per Geo location ?

simple answer, no.

but then if a greek ISP possesses a number of ips, there are high chances that their owners/users are in greece.

there is a tool named geoiplookup that can resolve the country. it is about 90-95% reliable which is not great but not too bad. the paid version can resolve with better precision ( cities, states, ... ) and is supposed to be less error-prone regarding countries.

maybe if you provide more information regarding the users connexions, i'll be able to provide a useful tip. it could be sensible to register per user ips and ranges, or possibly get them to authenticate on the firewall in order to open the required network flow, or there may be a whole different way to get proper security without that much hassle both for yourself and the end users.

which country are you in, btw ?
0
 

Author Comment

by:Allan_Fernandes
ID: 41858364
I am in India.
>>  if you provide more information regarding the users connexions
I did not understand what kind of info you seek ?
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41859202
i gather your app requires the client to access the server and the server to connect back to the client.

Currently I am using a separate Server/Client Socket pair to send files from the Server machine to the Clients. This fails as it is not to the Public IP of the clients.

the server is behind a router which is a problem you can handle.
the reverse is not unless you know something about the users that makes you sure a home or hotel router does not get in the way. any wifi internet connection won't probide a public ip so it just won't work.

the first thing you need is to modify your app so all connections are initiated by the clients

then you either build the security in your app. you can do client cert authentication with SSL for example,  use passwords, more or less complication depending on the criticity in terms of security.

or you can rely on an external tool such as SSH tunnels or VPNs. VPNs should let you work without changes to your existing code because your clients will receive a lan address that will be routed. SSH tunnels can be made to open remote tunnels on demand but i see no point in piloting ssh from your app.

... or you may consider modifying your app so it uses sftp or a similar standard protocol to discuss with the server rather than having a server.exe


from what i understand, the simplest is probably to use ssl as a transport and modify your code so connections are not initiated by the server any more
0
 

Author Comment

by:Allan_Fernandes
ID: 41860925
All my connections are initiated by the Client machine only.  The Client machine is fed with Server IP, in this case it will be a public IP. The Client connects to the Server and has a active connection. Until now I have been initiating a new connection from the Server to the Client for File copy. Recently I changed my plans and experimented with a VPS I have hired in Atlanta and send files back on the first connection itself (ie: Client initiated) this worked perfectly.
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 41861915
so you covered step 1.

all that's left would be to add some kind of security layer.
basic passwords and SSL might be enough, preferably using a challenge-response mechanism for the authentication. you can also authenticate with client certs. i'd assume you don't need retinal scans.

additional reasonable security measures could be
- prevent brute force attacks by disabling ( possibly temporarily ) accounts that try invalid authentications
- possibly blacklist the corresponding ips
- possibly identify weird stuff such as authenticating from 2 distant locations with the same account in a short period of time
- ... a wealth of other stuff depending on how secure you need it to be
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco iWAN 8 46
Network Config 9 58
network timeout on mapped drive 3 27
Firemonkey webbrowser scrollbars ? 1 2
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now