We're using a duplex contract for one feature in our yet to be released enterprise level LOB application that utilizes a thick client built with WPF and a server built with WCF.
During development so far we've been using the net.tcp binding for best performance. Now that deployment is coming up and issues such as internet access through a web proxy come to light, net.tcp isn't suitable anymore.
I've started using wsHttp and wsDualHttp but have realised in the meantime that duplex connections through a web proxy (and with NAT traversal) isn't really possible.
Now I'm thinking: why can't I set up a tcp tunnel (using proprietry software that supports web proxies, using HTTP CONNECT) and get the best of both worlds, proxy support, speed and security?
It would seem this is a common requirement.
Your options are not expansive. Microsoft's Service Bus is probably your best bet, if it works for your needs. The other options are:
VPN: Pretty self-explanatory.
SSH: SSH has tunneling functionality built-in. If you only have a small number of connections, you might be able to use an off-the-shelf SSH client and server, but with a larger number of connections it's hard to ensure that they all stay connected reliably. Several companies make SSH components you might be able to build upon (they didn't work for our needs), but they are more oriented toward the remote-execution use of SSH than tunneling.
A DIY TCP tunnel, which is a big job. Not impossible, but a big job. And will require a tremendous amount of testing to make sure you've got it right.
As far as running WCF over a tunneled connection, if you go that route, you won't have any problems. All the bindings and features work-- callbacks, reliability, message security, transport security, transactions, all work just fine.
Related
I'm not trying to setup a VPN. I want to secure tcp sessions between services that might be implemented in either user-mode or as kernel daemons. If it weren't for the kernel requirement, TLS would probably suffice.
First target would be Linux; pointers to any example code in user or kernel mode would be dandy if there are any.
All the existing examples I've found are about creating VPNs and use a bunch of static configuration in protected directories, all of which I'd like to avoid. I imagine I'd looking at setsockopt things to define keys before listening and connecting, but have so far found nothing.
VPN will just offer you secure tunnel for your communication also this comes with price of slow connection or overhead. IF you are looking for Ipsec be ware that programatically trying to get a secure and chaning IP itself comes with the same price of large overhead for communication.
It is important to know that what is your specific need. Like if you are not bothered about overhead or extra cost, you can definitely go ahead do IPSec at Network layer. But if you are worried about the performance issues or you want less overhead in your communication SSL/TLS is better for offering you desired security.
Enviroment
Consider the following production environment setup for a web application:
End user --Internet--> web server in DMZ --Firewall--> WCF hosted on app server --> DB Server
Constraint:
Also consider that we cannot change anything from the infrastructure point of view. For example, open ports, change any firewall setting etc.
Problem:
We want to expose the WCF, which is hosted on the app server, to external clients. We are trying to solve this as follows:
End user --Internet--> Router WCF in DMZ --Firewall--> WCF hosted on app server --> DB Server
Please note that we cannot establish a db connection from the DMZ environment where the WCF needs to be hosted so that the external clients can consume it. We have developed a "Router WCF" which passes through all messages to the internal WCF and vice-versa.
This solution adds an unnecessary overhead of serializing and de-serializing data. There must a better and proper way of doing this. We are looking forward to the community for guidance. Thank you.
In DMZ the bibliography tells you: always create an intermediate layer. This means another machine on the internet will be the point of connection and it will proxy the connection back to WCF.
The machine is the web server you seem to mention, that is stupid, has no data, and (to be a proper DMZ) has a firewall between it and all the machines (WCF and the others) it serves that permits only IP:PORTS used on such machines.
In this scenario, usually Apache on the public web server with a URL-rewrite rule (i.e if it is /x/y send it to servera.internal.com:9900 - if it is /x/z send it to serverb.internal.com:9901 etc...) is enough, but there are plenty of solutions of course.
It seems you are doing exactly this, why do you say it is not the proper solution?
DMZs could seem a bit dated as protection mechanism (I agree) but you have to think when servers like your WCF machine had dozens of ports opened, and you wanted to lower the risk of random ports on web-facing machines, a giant attack surface. Nowadays everything can work with couple of ports opened, so it can seem "silly" to do all of this just to forward a TCP port. But it is still valuable as (for example) if servers behind the web server in DMZ do not have internet access, even when WCF is compromised, the attacker cannot use its own reverse shell to deploy what it is nowadays called an APT (yesterday backdoor). The attacker "won't see" his own machine from WCF as the DMZ provides the connection to the external world.
Is you're building a distributed architecture with various services, is it acceptable to have those services communicate via ssh port forwarding, so that to a client a service looks like it's being served on a local port?
The only person who can answer "is it acceptable" is you, or your client.
Is it wise? Probably not, because SSL with certificates at both ends will deliver the same capability with a much less troublesome intermediate layer, but that is an engineering decision you have to make.
On the Internet, if you need fast,
secure server-to-server communication,
and you can specify which firewall
ports are open, NetTcpBinding can
prove very valuable.
a) Is text implying that with some other connection protocols, such as HTTP, we don't need to check for open firewall ports?
b) Why would NetTcpBinding only be useful for server-to-server communications, but not for client-to-server communications?
thank you
a) When you deploy to an enterprise, you usually don't have control over their external firewall. The setup of their firewall is made by network administrators following an enterprise wide policy. External firewalls almost always allow outgoing HTTP requests (otherwise you couldn't browse the web). Some corporate firewalls block outgoing TCP requests, which means you cannot use netTcpBinding. As an example, see this question for somebody trying to deal with that issue. If you KNOW that the firewall of every one of your customers will allow outgoing TCP, then NetTcpBinding is an appropriate choice.
b) Who says NetTcpBinding is only useful for server-to-server communications? You can deploy a client-server application into an enterprise, and providing the clients and the servers are all within the intranet, then NetTcpBinding is an appropriate choice of binding.
In my office building we have laptops on multiple floors all running a WCF Service. When WCF services communicate with each other, will a message for an out-of-range device automatically reach it by multi-hopping? Does WCF/the WLAN device driver handle this? Or do I have to detect if a device is not contactable/out-of-range and implement hopping in my own service?
As long as you have a connection from your WCF client to the service - yes, all avenues will be used. You shouldn't have to concern yourself with things like what network path your messages take - the network just has to be present and stable for the duration of a call ;-)
There's nothing in WCF to deal with this, really - this should be handled way lower in the network stack, by the driver or the OS.
Short answer
With WCF can do either or both of these:
Rely on an underlying protocol like IP to handle roaming
Use custom channel code that handles retries, roaming, etc the way you want it
No special mechanism for enhancing roaming is provided in the WCF classes Microsoft provides, but the framework itself is easily capable of supporting this seamlessly if you write or find a channel implementation to do this.
Full answer
WCF is not an on-the-wire protocol. It is a framework that allows you to communicate using a wide variety of protocols and network stacks. This allows you to use the same client and server code whether you are using HTTPS, raw TCP, named pipes, or any other protocol.
WCF ships with many channels in the box, and you can add your own. For example if you want to communicate over BlueTooth or IRDA, just create a new channel that talks these protocols and you can use your WCF services over it. These channels can also be found online or purchased from vendors.
Most networking today is done using the IP protocol, and if you are using WCF to communicate between desktop machines you will probably be using some protocol(s) on top of IP, for example TCP or HTTP. In this case, IP's normal routing rules will be used, so if the two machines can exchane IP packets you can communicate using WCF.
So if your WiFi access points allow seamless roaming you will be able to tap into that functionality using WCF.
If your WiFi routing doesn't have seamless roaming, you will have to do some extra work if you want to maintain a connection during roaming. Specifically you will need to create a channel that will respond to a closed connetion by re-resolving the server nane and retrying the request. Of course you will have to use DNS or another protocol so the server can update its registration as its IP address changes.
WCF is flexible enough to allow you to create such a channel and use it without your application code ever realizing it. But nothing like this comes in the box: You would have to build it, or download or purchase it.
it has nothing to do with WCF....
if there is a connection between the computers, on the IP, then the message will get through...