You have at least two more options depending on your resources (but it sounds like your fighting against your IT group on this one).
Many hospitals use Terminal Services so that you can basically access a server's desktop (for use by end users - no server end tools) and then host the application on the server. That way you invest in your server and not in all the clients. It has the added benefit of only needing ONE PORT outbound to the server. Another option is still VPN. I use MS-VPN but this works with Cisco and Firewall-1 (used them before)... Setup a VPN server on the VistA box (or in the same subnet). Setup a VPN connection from the client and deselect "Use default gateway" in the TCP/IP advanced options. This is what happens: Normal VPN with "use default gateway" checked You (192.168.0.*) | | VPN Client (10.0.0.2) - this is the IP the VPN server gives you | | VPN Server (10.0.1.3) - this is the VPN server on the internal network | | Server (10.0.2.4) - whatever you're trying to reach Normally in a VPN, ALL YOUR TRAFFIC is sent up thru the client, to the VPN Server, and out to whatever you're trying to access. So in this case, your VPN Server (10.0.1.3) knows that in order to get access to the Server (10.0.2.4) it has to use its routing table. Same with access to all other IPs like the Internet. This makes sense because the Client, Server and the VPN Server have to go thru a routing table to reach each other (a router or gateway in that network). IF the VPN Server and Server you're trying to reach are all in the same range, then you can ignore the default route. Modified VPN with "use default gateway" unchecked You (192.168.0.*) | | VPN Client (10.0.0.2) - this is the IP the VPN server gives you | | VPN Server (10.0.0.1) - this is the VPN server on the internal network | | Server (10.0.0.254) - whatever you're trying to reach Now everyone in the same range. When the client needs to access anything 10.0.0.*, well - it has an IP in that range so it'll just go access it. Otherwise it'll use ITS OWN DEFAULT ROUTE which will let you access all your local clients and Internet. So if you have to hit 10.0.0.254, you'll use your 10.0.0.2 address. If you want to use google.com, it WON'T go thru the VPN client/server route because that's not the default, it'll instead use whatever you had before. Hope that makes sense - your basically messing with the routing table by configuration and without having to do anything manually. Of course, you can always mess with the routing table manually using the ROUTE command. Also wondering... What kinda local firewall are you using that doesn't allow access in the manner that you need? Most firewalls (ever SP2's Windows Firewall) allow you to open up: > A specific application > A specific or range of ports > And a scope - can the named application or port be accessible to just one IP, my subnet, a netmask, or everything. You should be able to say clients can take input from said IP address on all ports and the server can accept input on all ports from said clients. /David. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CS Wagner Sent: Friday, September 24, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: Re: [Hardhats-members] Vista without CPRS Our problem is that we have a firewall on our network where the Vista server is. The client side has a firewall also where CPRS is. CPRS requires a connection from the server to the client on a randomly generated port. To allow for that, we'd have to basically remove the entire client-side firewall. Sure, we can only ports 5,000 and up, but that's still a huge hole in the firewall. We tried the VPN route, but that led to yet another issue. The server's network does have VPN, but it is highly restricted. There is a lot of paperwork involved in getting an account set up. Once done, we'd have another problem - the client's computer won't be able to use the client-side network anymore. That means that they'd have to have a CPRS computer on VPN and a regular computer off the VPN for everything else. As for tunneling on SSH, that would be the #1 solution if CPRS ran well on Linux. We could tunnel into the Vista server on port 22 and display the X-CPRS on the client's machine. We could also upgrade CPRS easily by only upgrading it on the server and not going client to client. But, the major dawback is getting CPRS to run on Linux without paying out so much money that we'd be better of buying some other EMR system. -Shaun Joseph Dal Molin wrote: >What is the issue regarding your network security...it will be good to >know should others have a similar setup? > >And dumb question...did you try setting up a VPN and tunneling...?? > >Joseph > >On Fri, 2004-09-24 at 10:32, CS Wagner wrote: > > >>It is becoming clear that we cannot use CPRS with our network security. >>Is it possible to effectively use Vista without CPRS? I can easily set >>up SSH accounts for each user so that gtm starts when the login. I >>assume that setting the primary menu in Vista will change what they see >>once gtm starts. I just don't know what menus to give the different >>people (nurses, providers, clerks...). I also haven't found user's >>documentation. Everything is directed toward the >>administrator/programmer, not the average user. So, I'm afraid I'll >>have to set aside a lot of time to write documentation while I'm trying >>to learn what to do. >> >>What I'm trying to get done right now: >> * Have a provider SSH in and immediately get to a patient selection >>screen where he can view/edit patient info >> * Give nurses the same menu - is there any function for a nurse to >>hand-off the patient to a provider without having the nurse log off and >>having the provider log back in and select the same patient? >> * Have clerks SSH in and immediately get to a screen to add patients or >>schedule visits for existing patients. >> >>If I can get to that point, my history has included years of making >>graphical front-ends for telnet/ssh menus (written in Cobol and/or >>Ada). I will be able to do the same for this without the loop-back >>security headache of CPRS. >> >> -Shaun >> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 >>Project Admins to receive an Apple iPod Mini FREE for your judgement on >>who ports your project to Linux PPC the best. Sponsored by IBM. >>Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php >>_______________________________________________ >>Hardhats-members mailing list >>[EMAIL PROTECTED] >>https://lists.sourceforge.net/lists/listinfo/hardhats-members >> >> >> > > > >------------------------------------------------------- >This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 >Project Admins to receive an Apple iPod Mini FREE for your judgement on >who ports your project to Linux PPC the best. Sponsored by IBM. >Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php >_______________________________________________ >Hardhats-members mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/hardhats-members > > ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Hardhats-members mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/hardhats-members ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Hardhats-members mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/hardhats-members
