Connecting a SwyxIt! to a SwyxServer through a firewall (kb2623)
Le informazioni contenute nel presente articolo riguardano i seguenti prodotti:
- Microsoft Windows Server 2003
- SwyxWare from version 4
- Microsoft Windows XP Professional
- Microsoft Windows XP Home Edition
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows Me
- Microsoft Windows 98
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional
- SwyxIt! all versions
[ Informazioni ]
The existance of a firewall between the SwyxServer and the SwyxIt! clients must be considered a general problem that should be avoided. The SwyxIt! client needs a whole lot of open ports, which - when opened - will make the firewall rather useless. Further informations on this can be found in the Knowledgebase article:
The DCOM protocol, which the SwyxIt! uses to communicate with the server, is the main problem here. Connections have to be made not only from the client to the server machine, but also in the other direction. Both machines must be able to reach each other on random ports above port 1023. Reagreatfully, Microsoft has not limited the port range that is used by DCOM.
To ensure proper operation, this means that between the server and the client all ports starting with 1024 have to be completely open, for TCP as well as UDP. In addition, we also need RPC access on port 135 and free access to shared folders on the server machine.
If we keep in mind that a firewall should especially block off the file access from the outside world, it is quite obvious that it is more or less impossible to connect a SwyxIt! client to its server through a firewall without getting in trouble.
Even while in the own LAN, problems can arise when security measures somewhere in the network block off certain ports.
During the logon procedure of the SwyxIt!, you will quickly find out if any of the needed ports are blocked. Different error messages can be displayed here. The most common are the following ones:
- Error on logon: "The RPC server is unavailable." (kb2423)
- Error on logon: "Not enough storage is available to complete this operation." (kb2590)
- Error on logon: "The object exporter specified was not found." (kb2422)
In some cases it is also possible that the logon works perfectly, that the file access works as well and everything seems to be fine, until the user tries to actually make a phonecall and the voice transmission isn't working in one direction, or even in both (of course, please check first that the audio device itself is working properly).
If this problem is not caused by different "quality of service" settings on the involved computers, there is a high probability that a firewall or a simple portfilter is blocking network traffic somewhere between the SwyxIt! client and the SwyxServer. Portfilters, sometimes called "mini firewalls", may be hard to find, because they come as "hidden features" in some antivirus tools. Those portfilters are sometimes not even configurable, especially in the so called "personal editions" of the antivirus packages.
In some cases they can't even be switched off, and so the only chance to get rid of the portfilter is to uninstall the whole antivirus package and use something else.
If a user wants to connect his SwyxIt! client to the company network while he is working at home, a complete security breach by opening all necessary ports in the firewall is obviously not an option. Most of the time it wouldn't help anyway, since the necessary ports for access to shared files are blocked by most internet providers.
For this scenario, the use of a VPN connection into the company LAN is the best idea. A VPN connection acts as a tunnel through the internet and through the firewall and grants the client complete and unfiltered access to the server, just as if it was connected to the LAN directly.
The transmitted data can be encrypted before being sent out through the internet, and so it's nearly impossible to take a look at the packets and gather any secret data. Using the RRAS service, every Windows server is capable of providing a VPN access point. A VPN client is integrated in every desktop version of the Windows operating systems, so there's no need to install anything new.
This article is not intended as an instruction manual on how to create VPN connections, because the methods that have to be used are different every time, depending on the type of firewall, VPN server, the LAN and so on. On the other hand, it is not at all complicated to set up a VPN, and it is also no mentionable security risk. As an example, a very simple setup will be described here.
In this simple case, the RRAS service will be activated on one of the servers in the LAN. On the router, that connects the LAN to the internet, we will have to configure a forwarder for the GRE protocol (protocol type 47) that points to the RRAS server, and another one that routes port 1723 to the RRAS server. For a simple PPtP VPN, this is all that needs to be opened to the internet. The effort that the administrator has to put into this, is not really high, as seen in this simple example.
A setup description for a VPN connection to be used for e.g. home offices can be found in the Knowlegebase article: