ALMobile and my Firewall
April 1st, 2010 by RobProspects and customers alike ask us regularly how does the remote access for laptops, netbooks and smartphones work through their company firewall. The answer is both simple and complex. The simple answer is that it is up to the customer. The complex answer is, well, complicated! Let’s take a few minutes to discuss this so that it gets back to the simple answer.
First, it is important to know that the ALMobile solution utilizes a service-oriented architecture (SOA). This means that ALMobile exposes several services that respond to requests from the users’ devices. For example, the user may ask a service “give me a list of employees” and the service then responds with a list based on the current user’s data security.
Each of these services runs on the ALMobile server, and when the software is installed on the device (i.e. PC, laptop, smartphone), we tell the device where the server is so that it can find the services that it needs to communicate with. In the internet and network world, every “device” has an address that is called an IP Address. Some IP Addresses are private, which means that they are only known to the local network, such as within your office. Some IP Addresses are public, which means that they are unique addresses visible on the internet. Firewalls basically function as the “postal carrier” between the public addresses of the internet and the private addresses behind them (typically using a technique called Network Address Translation (NAT)).
So, if your PC connects to a website somewhere, what really happens is that it looks up the public IP Address for that website (that is another complicated story dealing with DNS, which we can leave for another day) and your browser “connects” over the internet to that address. The firewall at the website end “forwards” that request to the internal (private) IP address of the web server for that website. Then the web server responds with a page and sends it back to your public IP address (the address of your firewall on the internet) and your firewall forwards that page to your internal (private) IP address for your PC and your browser displays the page. Whew! Quite the round trip, huh?
Firewalls keep track of traffic and “map” the external IP addresses to the internal IP addresses. It even gets more complex than that! Firewalls can map specific public ports within a single public IP address to specific internal IP addresses (called Port Address Translation (PAT)). For instance, if a company has a web server and a separate mail server, then port 80 (for http communication) would be mapped to the internal IP address of the web server and port 25 (for smtp communication) would be mapped to the internal IP address of the mail server, even though both servers are on the same public IP address to the rest of the world! Tracking so far? I told you it gets complicated before it gets simple!
So, back to the ALMobile services. Each service running on the ALMobile server utilizes a specific port on the server’s private IP address for communication. The software on the remote device knows the port numbers, and we have told it the IP address of the server too, so it should be able to find the server and all is good right? Almost! The problem comes in when we have to get past the firewall. If your firewall doesn’t know how to map the ALMobile service ports to the ALMobile server, then any ALMobile device that is outside of your private network will not be able to get through to the ALMobile server. You would need to “open” the ports on the firewall and map them to the IP address of the ALMobile server. Our support staff can work with your IT personnel to inform them of the details for which ports are required to be mapped. Once that is done, then the remote ALMobile devices should all be happy!
Some customers are hesitant to open up ports on their firewall for fear of security risks. This is entirely understandable, and so there is a way to make all of this work without opening ports. This is by using a technique called a Virtual Private Network (VPN). VPN can be accomplished in basically two ways. Either you can have a software program running on one of your internal servers that serves as your internal VPN “endpoint”, or you can have a firewall that is able to function as the VPN endpoint. It is high recommended that you utilize a VPN-capable firewall, as VPN software can place a considerable load on your server and software-VPNs tend to be less stable than hardware-based VPNs in firewalls.
So, what is a VPN? It is pretty much what it sounds like. A VPN tunnel connects your remote device to your office’s private network by creating a virtual “tunnel” across the internet. Once you have the tunnel open, your remote device can basically act just like it is connected to your office’s internal private network. That means that the firewall is no longer having to “map” ports or anything like that. All communication between your remote device and the ALMobile server is direct communication to the private IP address of the ALMobile server and the ports of the ALMobile services. Pretty cool stuff!
If you aren’t comfortable opening ALMobile ports on your firewall, and your firewall is not VPN-capable, there is another solution, but it should be used only in situations where you have ALMobile installed on it’s own server, separate from your domain control, ERP software, etc. Also, this option will not work for smartphones, but only for remote desktops, laptops, and netbooks. This last option is to open the Terminal Services port on your firewall and have that port directed to a Terminal Service server (which could be the same server as ALMobile or not, based on your system administrator’s preference). Then your remote laptops, netbooks, etc. can just connect to that server and open a “desktop” on that server and run ALMobile using Remote Desktop Protocol. This can work great, but does put additional load on the ALMobile server, thus the requirement for it to be its own separate machine for acceptable performance and to not interfere with internal users of other primary systems. If you have any PDAs or smartphones, this option is not viable, and Austin Lane prefers customers to use a VPN-enabled firewall over this solution to better disperse the workload for the solution, but this solution can make sense in certain customer scenarios.
So, having covered all of that, you can see that the simple answer is that it is up to the customer. There are essentially three options:
1. Open ALMobile service ports on the firewall.
2. Use a VPN-enabled firewall.
3. Use Terminal Services through the firewall (no PDAs or smartphones).
Hopefully this has cleared up the complexity of this topic. In any case, we advise customers to contact us about their needs and Austin Lane is happy to work with your IT staff to determine and implement the optimal solution.
Firewalls are good, and Austin Lane has designed a solution that is IT friendly to maintain a high level of security while communicating across your firewall.