Geek Answers Handbook

How to access web service for NAT?

We have a product that we are deploying for some small businesses. This is basically a RESTful API over SSL using Tomcat. It is installed on a server in a small business and is accessible through an iPhone or other portable device device. Thus, devices connecting to the server can come from any number of IP addresses.

The problem is with the installation. When we install this service, it always becomes a problem when forwarding ports, so the outside world can access tomcat. It seems that most of the time the owner does not know the password of the router, etc. Etc.

I am trying to explore other ways we can achieve this. I came up with the following and would like to hear other thoughts on this topic.

  • Configure an SSH tunnel from each client office to a central server. Basically, remote devices will connect to this central server on the port, and this traffic will be tunneled back to Tomcat in the office. It seems redundant to have SSH and then SSL, but there really is no other way to achieve this, because from end to end I need SSL (from device to office). Not sure if the performance implications are here, but I know this will work. It will be necessary to monitor the tunnel and return it, if this is done, it will be necessary to process the exchange of SSH keys, etc.

  • Install uPNP to try to configure the hole for me. Most likely it will work most of the time, but uPNP is not guaranteed. Maybe the next next step.

  • Come up with some kind of transversal NAT scheme. I just don’t know them and don’t know how they work. We have access to a centralized server, which is necessary for authentication, if this facilitates its work.

What else should I look for to achieve this?

+6
rest web-services networking
source share
8 answers

Could this service be publicly posted by you or the hosting provider, and not with the client?

I had a similar situation when I developed kiosks. I never knew what type of network environment I would have to decide on my next installation.

I ended up creating a PPTP VPN to allow all kiosks to connect to the same server on which I am publicly hosted. Then we created the controller’s web service to allow access to the kiosks that all connected through the VPN. I'm not sure how familiar you are with VPNs, but with a VPN connection I was able to completely bypass the firewall in front of each kiosk by accessing the kiosk through the designated VPN VPN.

Each node kiosk was incredibly easy to set up when I had a VPN server setup. It also brought management benefits and licensing benefits that I had not thought of initially. With this infrastructure, I could easily deploy services available through mobile phones.

Good luck

+8
source share

There are solutions for “dynamically” accessing software on a computer behind NAT, but usually mainly for UDP communications.

The UDP hole punching method is one of them. However, this is not guaranteed to work in all possible situations. If both sides of the connection are behind the "Symmetric NAT Cone", it will not.

You can truly reduce the likelihood that a client will not be able to communicate using UPnP as a backup (or even primary) alternative.

I don’t know web services and don’t even know if using UDP for your web service is an option (or even possible).

Using the same method for direct TCP will most likely fail (TCP connections are not stateless - there are many problems here).

An alternative using the same technique would be to create some kind of UDP based VPN (just like OpenVPN ), but as you stated, you will have to manage keys, certificates, etc. It can be automated (I did it), but still, it is not entirely trivial.

=== EDIT ===

If you really want to use TCP, you can create a simple proxy program on client boxes that will serve as a relay.

You will have the following diagram:

  • Web service on client boxes, behind NAT
  • Software "proxies" in the same cells, establishing an outgoing (thus not blocked) TCP connection to the servers of your company.
  • Your company’s servers also use WebService, which requires, for example, “Client ID” to redirect the request to the appropriate established TCP connection.
  • The proxy program requests a local WebService and sends a response to the company's servers, which also relay the response to the original requestor.

Alternative: you can ask the proxy software to directly connect to the requestor to improve performance, but then you may encounter the same NAT problems that you are trying to avoid.

+2
source share

It is like people are now tunneling everything over http, and why some hardware vendors charge a small fee for filtering level 7 packets.

It is a huge job to fix one problem when a client has at least three problems. Besides what you determined, if they do not know their password, then who does it? An administrator who no longer works? This is problem.

Secondly, if they do not know the password, this means that they are almost certainly far behind the firmware updates on their firewall.

I think that they should seriously think about doing a PROM reset on their firewall and reconfiguring from scratch (and updating the firmware while they are on it).

3 birds, one stone.

+2
source share

+1 to go with the SSH tunnel. It is well known, widely available and not so difficult to configure.

However, as you point out, you are already using SSL, so SSH encryption is redundant. Instead of SSH, you can simply use a regular tunneling proxy that provides tunneling without encryption. I used this one in the past and it worked well, although I did not download its test - it was used only with a few users.

Here is a blog from someone who used a tunneling proxy to access their webcam from outside their firewall.

+1
source share

Configure Apache in front of your Tomcat. This Apache should be visible from the Internet where Tomcat should not.

Configure Apache to redirect all traffic to Tomcat. This can be easily done using mod_proxy (check the ProxyPass and ProxyPassReverse directives).

You have an SSL certificate located in Apache, so all clients can talk to HTTPS with the Apache server, which in turn discusses simple HTTP with Tomcat.

Without tunneling or other crap + you will be surprised how easy it is to configure Apache for this.

0
source share

I needed to do something similar in the past, and I believe the best option is the first one you proposed.

You can do this easily by using ssh with the -R option, using publish the auth key and a couple of scripts to test the connection. Do not forget that various ssh functions live and time out.

Do not worry about the performances. Use unprivileged users and ports if you can. Do not bother to configure the CA, the public key of each remote server is easier to maintain if you are not in the thousands.

Monitoring is pretty simple. Each server must check the service on a central server. If it fails, either the tunnel is down or there is no connectivity. Restarting the tunnel will never hurt.

Or you can do it at the network level using IPsec (strongswan). It may be harder to configure, and this is the option I used, but I will use SSH next time, it would save me a lot of time.

0
source share

If you want to integrate RESTful into a client server, a tunnel to a central server that acts as a proxy server is best.

But if this is not a strict requirement, you can let the central server process RESTfull stuff and integrate the central server and client server with other middleware. Good candidates would be RMI or JMS. For example, a client-initiated RMI connection allows the server to make RMI calls to the client.

0
source share

You can try to connect to a PC / server and tunnel all the data through hamachi (Free VPN Software), because you can install this tool and it will create a reverse connection (from inside your nat to external) so that you can connect to it

Website: http://hamachi.cc/

0
source share

More articles:


All Articles