>From: Radha krishna <[EMAIL PROTECTED]>
>We have a GUI application that we want to run from a remote client
>through firewalls. There are basically two seperate networks of two
>different companies (Let say company 'A' and Company 'B')and there are
>two firewalls. The client machine (NT PC) is in company 'A' network
>and the server machine(Sun solaris) is in company 'B' network.
>
>The host/server that is located 'inside' a firewall has a private
>IP-number (and is accessed by many IP-'clients' inside the private
>net, so changing the number to a registered number is definitely not
>preferred). So, we installed an 'IP number-translator' on the firewall
>of company 'B' that translates a virtual, registered IP-address to the
>real, unregistered IP-address. And the client will log on to this virtual
>IP address through firewall.
>
>But, the problem is the application running on the server need to have
>few more port connections established between client and server. So,
>the application/server is sending back a request to the client for this.
>And while doing so, the application is supplying the real, unregistered
>IP-address on to which the client need to establish connection. Client is
>opening few ports and trying to establish connection with the real IP
>address and failing. We found the TCP/IP packets leaving the company 'A'
>firewall, but not reaching company 'B' firewall.
>
>I guess that the client is sending communication packets with the
>destination IP address as the real, unregistered IP-address. Can you
>suggest us some solution for this? Can we change the destination IP address
>in the outgoing TCP packet at the client(at company 'A' firewall) to
>the desired virtual, registered IP-address ?
I don't know which application you're running, maybe there's a proxy or
modification which allows this app to be run through a firewall. But if
there's no such workaround, there really isn't much you can do to tap into
and modify the application payload besides writing your own
application-proxy. An easier solution is to change the client's IP so they
match your internal, unregistered IP address range. A viable secure solution
would be to VPN these clients into their own separate, secured DMZ subnet. A
nice side-effect is that the comms are encrypted through the public network
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
