The VB Winsock control works fine when you need to establish a TCP connection over a local network or between two computers on the open internet. However, when one or both of the computers are behind a firewall Winsock doesn't seem to work at all, at least not the mswinsck.ocx control.

Does anyone know how I could establish a TCP connection through a Firewall using VB? Programs like ICQ and MSN Messenger as well as Peer to Peer programs like Morpheus and Kazaa establish these kind of connections so it definitely is do-able.

Thanks
Dave

 

Make sure that the both the PC that is trying to initiate the connection and the PC that is being connected to have networking configured properly - that is, they both have the correct netmask, default gateway, etc. set up for the network segment they are on. It could be that one (or both) of the machines doesn't know how to reach
the other one (your network admin should be able to help.)

Also, make sure that the router(s) between the PC's are configured to permit traffic on whatever port you are trying to use - some network admins configure their routers to drop traffic on certain ports or a range of ports.

 

Hi Dave,

The primary issue you need to address when going through a Firewall is that of the actual service you are using. Normally when we speak of web services we think things like HTTP, SMTP, FTP, and so on. These services also define underlying protocol features such as what port number is used by the protocol. In the case of HTTP its typically 80, for SMTP its 25, for FTP its 21. Knowing what port number is being used is very crucial to Firewall and router configuration. In the case of Firewalls they are typically
configured to allow common services such as those listed above to enter the corporate network and be directed to specific PCs that will service these protocols.

In your case you are attempting to establish a connection from one PC to another by developing your own link. You more than likely needed to specify a port number that you would connect to on the remote machine. That port number that you have specified must be configured in the firewall if you hope to have any chance of connecting to the remote target. The Firewall will need to be configured to route your connection to the PC running your software. The other factor that comes into play with Firewalls is NAT (Network Address Translation). In simple terms what someone sees on the outside of the firewall has little to do with what is seen inside the firewall.


If we assume the following:

General:
You have developed a protocol that uses Port 7788:

Local Machine:
PC1 is your Local PC when on the Internet you have an IP of 63.156.230.212. The local PC1 is not currently behind a Firewall so the IP above is seen directly on the Internet. This would be the case if you are on dialup or DSL/Cable and do not have a firewall.

Remote Machine:
PC2 is the remote machine located behind a corporate firewall. The Firewall has an external Internet IP of: 216.23.66.30. PC2 located behind the Firewall has a local LAN IP of 192.168.1.30.

The first thing to realize is that you can't directly use the IP address of PC2. The reason being, NAT, the firewall has shielded the internal LAN from the outside world this has two benefits. First is offers protection from
hackers secondly it allows us all to have large corporate networks using TCP/IP without the world running out of IP addresses. So when attempting to connect with PC2 remotely we can't use the IP address: 192.168.1.30 since this is not visible to us on the outside.

That leaves the Firewall's external IP of 216.23.66.30. Now you can enter this IP into your program but chances are as you have found out you still don't get a connection. The reason comes back to that part about services and port numbers. Since we are using port 7788 the Firewall must be configured to allow communication from the outside to cross the Firewall when using port number 7788. Configuring the Firewall isn't simply a matter of saying let port 7788 through "Thank You". You must also tell the Firewall what type of protocol you will be using (TCP or UDP), and most importantly what is the local LAN PC that will be servicing the request.

With that said we need to configure the Firewall to allow Port 7788 through then we need to tell it to send those messages that use Port 7788 to our machine PC2 at local LAN IP address 192.168.1.30.

Once all of that is done there is a good chance that you will see data at your remote PC.

To answer your question about applets like Yahoo, MSN, and AOL instant message applications. These products play a little game that counts on your
firewall allowing outgoing message to initiate a connection with a remote server as is done when you use Internet Explorer to access a web page. Once the connecton is made other little connecitons can be made back out of your PC and through the Firewall as Out Going messages. These Out Going are seen as legal traffic for the most part being generated by the PC behind the
Firewall. This allows these application to establish connections across the firewall because technially they didn't your PC inside the firewall did. Thats a short answer anyway.

Hope something helps.

Good luck.


Mark Hensley
President
Kepware Technologies
81 Bridge St.
Yarmouth Maine 04096
PH: 207-846-5881 ext. 202
Fax: 207-846-5947
WWW: http://www.kepware.com
Looking for OPC Servers, look here.