The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Integrate Software VPN Client into Winform App Launch

We have a .Net/SQL Server Winform app that we would like to give to our mobile users. Obviously, the client installed on the laptop - database located at the home office server.  To mantain some sort of security on this application, we would like to integrate a software VPN solution with the client.

Exactly what we would like to happen is for our client to launch a software vpn client connection.  If the tunnel does not connect successfully, then our application would end.

Does anybody have any recomendations about how to go about doing this?  VPN clients that integrate well.  VPN clients that you wouldn't trust...  Any information on this subject would be helpful.

Aaron Smith Send private email
Thursday, April 27, 2006
Just my thought but have you thought about a webservice over port 443 using SSL?  Eliminates the need for VPN

Something about VPN's is that I've found it common to have firewalls and such block them.  So unless your remote people are always someplace that you know is good you'll have that worry.  If they move around alot 90% of the time you'll be fine and the other 10% you'll be pulling out hair and trying to get them working
Thursday, April 27, 2006
No doubt that would be the best solution, but that would require rewriting large portions of the data access code.  Something we would prefer to avoid as this is a pretty solid/debugged app.  The less code we have to write/change to implement this solution the better.

The port problem does worry me though....
Aaron Smith Send private email
Thursday, April 27, 2006
What about having the desktop app write to a virtual database that is actually a new application that when handles the webservice data transfer?

Without knowing your database setup there are many ways you could do it.

For instance if its MSDE/SQL Server then install the MSDE locally and setup a merge replication that works over the web service.

Ideally though something that just mimics the database and does a realtime connection would probley be better.
Friday, April 28, 2006
I believe SQL Server 2k and up support direct SSL connections.  Using that would probably be the simplest way to secure that link.
Doug Send private email
Friday, April 28, 2006
Every employer I've worked with required the Cisco VPN software, and I would guess by now, it's a de facto standard. However, it doesn't have a very good reputation as far as predictable release schedules and prompt security fixes, go.

Cisco also limits redistribution of their client. I suspect they're practicing a security through obscurity paradigm to the extent that your operations department would be responsible for downloading it from Cisco, then distributing it to authorized users.

Given my experiences, I strongly recommend that you limit your involvement to simply checking for a secure connection and returning an appropriate error message if one isn't found. If you choose the full integration route, then you're on the hook for maintaining, supporting, and distributing the VPN software itself (assuming you choose Cisco's).

You also risk a scenario where you have two or more applications that need to connect to the company intranet; debugging connection problems will become a nightmare.
Monday, May 01, 2006
You could set up an IPSEC VPN with WinXP and Windows server and just tunnel your connection.  Then, in your application, just check to see if the tunnel is up or down; number of ways to check the tunnel.  Ping the server seems simple.  Another method could be use of PPTP.

Since you are using MS at both end points, you don't need any other software.

If you are behind firewalls that do NAT, you can still do this but instead of IKE, you can do shared secret or manual keys.  If ports get in the way, use port 443 or 80 -- The only caveat is proxy based firewalls.
Thursday, May 04, 2006

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz