-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Giles: Do the computers you maintain need to accept arbitrary inbound connections from the external system? Or other systems? If not, then in this scenario they're really clients to the external system's server(s). In this case you can use a NAT router, where all outbound connections come from the same IP address. Any external servers they connect to can exchange data. If your application servers do need to accept arbitrary inbound connections are there inbound port duplicates? ie. Are there multiple computers that need to accept HTTP traffic on port 80? Or FTP? or SSH? If not, then you can still use a NAT router, but you'll need to set up inbound port forwarding. For both these scenarios a consumer-level router has the smarts to accomplish your task, although I'd recommend something a bit more robust like pfSense. If you do need to accept arbitrary inbound requests on duplicate port numbers for different servers then I don't see an easy way to do that on one IP address... (needs an application-level router that can determine what hostname is being addressed, what used to be called a "bastion server"). - --Bob. On 2016-09-03 11:05 AM, Giles Orr via talk wrote:
I think I'm having trouble finding an answer to my questions largely because I don't fully know how to express them, so I'm going to try to do so here and see if another member of this list can take my English language fuzzy logic and turn it into question(s) that can more easily be answered ...
I'm running application servers that have to make queries to servers behind a firewall. The firewall (not in my control) has to be configured to admit IP addresses. Getting addresses added to the firewall can be slow. So it seems to me the best way to do this would be to set up a couple of proxy servers with fixed/known IPs so that the application servers (fluctuating headcount and IPs) could make their requests through the proxy servers - which are known to the firewall.
This makes sense in my head so far. But here's the problem: I'd like to send all network traffic from the application servers through the proxy servers, regardless of content, port, destination, anything. But in saying that, it begins to sound more like "routing" than "proxying", and enforcing this seems like it might be tricky on the open internet. And authentication of some sort would seem to be needed to prevent bad actors using the proxy to access stuff behind the firewall.
A VPN is a possibility, but not one I'm enthusiastic about: I tackled OpenVPN a few months back, and after a day and a half and very little progress my brains started to slide out my ears. But if that's what I need to do, I'll get back on it.
Thanks!
- -- - -- Bob Jonkman <bjonkman@sobac.com> Phone: +1-519-635-9413 SOBAC Microcomputer Services http://sobac.com/sobac/ Software --- Office & Business Automation --- Consulting GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Ensure confidentiality, authenticity, non-repudiability iEYEARECAAYFAlfLRhwACgkQuRKJsNLM5epCHQCgx32wJXGXklEwfZOhvYheCj8O xggAoN/FGW0ondBWCo3+b7UxuFU+XR45 =xp3k -----END PGP SIGNATURE-----